Cloudflare + Stripe Recurring Payments Issue?

For the firewall on my site, I have “Known Bots” as allow.

But, everything else was set to JS challenge.

A few weeks ago, I noticed recurring payments from stripe had stopped being processed completely (using membermouse wordpress plugin for recurring payment processing).

Upon disabling the JS challenge, the payments would resume (granted I had to re-process them manually).

I’m curious if there is a set of IP’s or criteria that can be set for Stripe to bypass the JS Challenge within Cloudflare.

Also, if there is a list of “Known Bots”, to see if stripe is included.

Thank you.

The “Known Bots” list isn’t up to date, but here it is:

That’s something you’d have to get from Stripe. Sometimes it’s easiest to rely on a User Agent String, though it’s not the most secure approach.

1 Like

Stripe has a list of domains:

Stripe domains

Stripe uses the following fully qualified domain names to interact with your integration:

api.stripe.com
checkout.stripe.com
dashboard.stripe.com
files.stripe.com
js.stripe.com
m.stripe.com
m.stripe.network
q.stripe.com
stripe.com

Source: https://stripe.com/docs/ips#stripe-domains

Which firewall rule would I use to allow these?

The firewall doesn’t go by connecting hostname. You’d have to use their very large list of IP addresses. Unfortunately, they’re using Amazon AWS, so there’s no easy way to get around the large list of IP addresses.

I used excel to make the expression.

I’m assuming this should work?

As long as it’s few that 4K characters (I think that’s the limit). An “Is In” list might even be better.

(ip.src in {12.34.56.78 98.76.54.32 123.123.123.123 111.222.333.444})

I implemented these rules with “allow” just to capture and see the traffic.

Thus far, no traffic has been captured coming in from stripe, so perhaps it works a bit differently, or it’s been recently integrated with the “known bots” filter

1 Like

Taking a blind guess but having such huge rules might affect performance as that whole query has to be executed for every request you receive, it’s likely a few extra ms but… there has to be a better way (IP ranges?), consider whitelisting referring domains perhaps? :slight_smile:

Are you using Super Bot Fight Mode by any chance?

I tried to see if anything passed through that rule as well, but nothing.

Always had this on, with no issues. Only when the ‘javascript challenge’ was enabled.

Super Bot Fight Mode was just released last month. It’s a new option under the Firewall | Bots | Configure Super Bot Fight Mode.

SBFM is very restrictive and anything but ALLOW will block some traffic - including automated, RSS feeds and others.

It is worth double checking that.

This topic was automatically closed after 30 days. New replies are no longer allowed.