bkrnetic | Stripe Developers | Page 1

short echoBOT Oct 12, 2022, 1:39 PM

#

golden socket Oct 12, 2022, 1:40 PM

#

Subquestion for Stripe agents - is validating webhook by constructing event enough in terms of security? One of the solutions is to simply remove the IP check...

tired frigate Oct 12, 2022, 1:42 PM

#

Hello 👋

Has somebody struggled with getting real IP when validating webhook requests in Node.JS? I've tried all the approaches and cannot seem to make it work. It always gets the last IP in the chain (the container's one). My app is built in docker image. I'm aware this is not really Stripe related but I was hoping I might get the help here.
I don't think we'd be able to help much with this unfortunately.

is validating webhook by constructing event enough in terms of security? One of the solutions is to simply remove the IP check...
It should be, yes.
Also you can configure your firewall to only allow Stripe IPs and block the other ones if that makes it easier. You'll only receive the webhook events from one of the IPs listed on the page

https://stripe.com/docs/ips
https://stripe.com/docs/ips#webhook-notifications

golden socket Oct 12, 2022, 1:45 PM

#

Yes that how my validation works right now but my proxies mess up with it and I cannot retrieve original IP.

#

Thanks

tired frigate Oct 12, 2022, 1:46 PM

#

ah I see.

tired frigate Oct 12, 2022, 2:01 PM

#

Yeah can't think of a way to workaround this 😦

#bkrnetic