shotster_webhooks | Stripe Developers | Page 1

desert mortarBOT May 13, 2024, 3:05 PM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1239594306684325898

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

sweet oyster May 13, 2024, 3:06 PM

#

Hello

#

You can't really handle Webhooks at all without server-side access?

#

I'm not sure what you mean here really.

#

Like retrieving an Event also requires a server-side API request

urban kindle May 13, 2024, 3:09 PM

#

I can create a publicly accessible endpoint, but I cannot implement any "code" server-side to verify the signature (it's a no-code platform).

#

FYI, the webhook is working, but it's not "secure". I'm wondering if making a call back to Stripe to retrieve the data via the event id is just as secure as verifying the signature. And if so, are there any drawbacks to that approach.

sweet oyster May 13, 2024, 3:11 PM

#

Gotcha

#

No it isn't secure if you aren't verifying signatures. Yes, retrieving the Event itself is secure, but there is no guarantee in this case that someone isn't messing with Event IDs here and manipulating what you are doing if you are taking any action based on a non-signature-verified Webhook

urban kindle May 13, 2024, 3:14 PM

#

Ok, as long as you're cretain. I ask only b/c I saw a stack overflow post saying the opposite - i.e. that they confirmed through Stripe that retrieving the event via the id IS just as secure. That seems to contradict what you're saying.

sweet oyster May 13, 2024, 3:15 PM

#

I just said that retrieving an Event by the ID is indeed secure. But how do you know you are actually retrieving the right Event

#

Like someone could be maliciously hitting your endpoint and having you retrieve Events that aren't really what you should be doing

#

Since they could be actively sending "fake Events" to your endpoint

#

I think that is pretty low-risk

urban kindle May 13, 2024, 3:16 PM

#

You're first sentence was, "No it isn't secure if you aren't verifying signatures." ...hence my confusiion.

sweet oyster May 13, 2024, 3:16 PM

#

That is in reference to the Webhook endpoint

#

But the actual retrieval request is secure, yes. Stripe won't return you "incorrect" data if you retrieve an Event

urban kindle May 13, 2024, 3:17 PM

#

But if I'm retrieving the event directly from Stripe, wouldn't I get an error if someone is maliciously hitting my endpoint with bogus event ids?

sweet oyster May 13, 2024, 3:19 PM

#

Sure

urban kindle May 13, 2024, 3:20 PM

#

Ok, so you're saying someone could maliciously be sending "valid" event ids that don't represent "fresh" data that I should act on?

sweet oyster May 13, 2024, 3:20 PM

#

If there is no way for someone to get their hands on Event IDs for your account then yes, this should be a fine route to go

#

Yeah pretty much

#

I'm just saying that if you aren't verifying signatures then your code isn't 100% secure

urban kindle May 13, 2024, 3:21 PM

#

Ok, got it. Thanks much!

#shotster_webhooks