#developer

Hello! I know a lot about webhooks, but not a lot about Django. 😅 Can you explain more about that last part of your question?

Hey @cold zinc I might be able to help out here. CSRF is a Django specific requirement that helps to protect against cross site forgery. This is really more of a Django question than it is a Stripe question. With Stripe webhooks, we provide a signature mechanism to validate the webhook.

Yep, was just reading about that! https://stackoverflow.com/questions/51710145/what-is-csrf-exempt-in-django

It sounds like you would need to use @csrf_exempt for webhooks, as the POST request is coming from Stripe, not your website.

It sounds like that. What do you think @pearl creek

?

Yes, by definition a webhook is going to be a cross-site request (it originates from Stripe's servers and hits your servers) so you cannot use CSRF functionality if you want to accept those webhooks.

Sounds good. Thanks for the help!

No problem at all!

Oh, turns out we have some documentation about this! https://stripe.com/docs/webhooks/best-practices#csrf-protection

Thanks @cold zinc, that's also helpful for me 😄. Also worth adding that, because you are turning off CSRF for these endpoints, it is critical that you are validating the signatures sent by Stripe. That is the only mechanism that tells you if a request is valid or not so it's very important.

Thank @cold zinc , that's helpful! I'll add @require_POST as well...

@pearl creek about validating the signature , Does constructing the event with Stripe signature do the work? (I mean these two lines: sig_header = request.META['HTTP_STRIPE_SIGNATURE']

event = stripe.Webhook.construct_event(
payload, sig_header, endpoint_secret
)

)

Yep, the construct_event function handles signature verification if you supply it with an endpoint secret.

@spare oracle we have documentation on how to verify signatures that includes a code sample using Django. https://stripe.com/docs/webhooks/signatures