kryze_ | Stripe Developers | Page 1

slender vineBOT Aug 18, 2023, 3:05 PM

#

humble steppe Aug 18, 2023, 3:06 PM

#

Can you elaborate on the question?

#

We can really just answer questions about our API usage directly. Can't advise on security/safety practices in other frameworks really

upper junco Aug 18, 2023, 3:07 PM

#

On my shop application, I listen to webhook for expired order, confirmed one...
When I put nothing I got
ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
Online they said that putting this line doesn't put a risk since there is prevention with
event = Stripe::Webhook.construct_event(
payload, sig_header, endpoint_secret
)

humble steppe Aug 18, 2023, 3:08 PM

#

Oh I understand

#

Yeah you'd need to disable csrf protection for that endpoint

#

        payload, sig_header, endpoint_secret
      )```
verifies the request is comfing from Stripe

upper junco Aug 18, 2023, 3:09 PM

#

Okay so there is no risk doing it ?

humble steppe Aug 18, 2023, 3:09 PM

#

You can't enable csrf protection on your webhook endpoint

#

Because we won't be able to successfully make requests to it

upper junco Aug 18, 2023, 3:10 PM

#

Okay perfect ! 🙂

#

Thanks !

#kryze_