Does Cloudflare Alter Stripe Webhook Payloads? Help to Preserve Signature Integrity

What is the name of the domain?

api.scoremyinterview.com

What is the issue you’re encountering

Invalid Stripe signature: No signatures found matching the expected signature for payload

What steps have you taken to resolve the issue?

I’m currently experiencing issues with verifying Stripe webhook signatures for my application. My setup is as follows:
• Backend:
Hosted on Railway, serving a FastAPI application with a webhook endpoint at /stripe/webhook.
• Custom Domain:
I’m using Cloudflare as a reverse proxy with a custom subdomain (e.g., https://api.scoremyinterview.com/stripe/webhook) configured via a CNAME record.

Issue:
When Stripe sends webhook events (via the Stripe CLI or Dashboard), my application receives a payload along with the Stripe-Signature header. However, signature verification fails with an error like:
Invalid signature: No signatures found matching the expected signature for payload

This leads me to suspect that Cloudflare might be altering the raw request payload or headers before they reach my backend, causing the computed signature to not match the expected one.

Options I’m Considering:
1. allowlisting Stripe IPs:
Adding a firewall rule in Cloudflare to allowlist all of Stripe’s webhook IP addresses (as documented here: Stripe IPs) so that those requests bypass security processing.
2. Creating a Page Rule:
Configuring a Page Rule for my webhook URL (e.g., https://api.scoremyinterview.com/stripe/webhook*) to disable security (or performance features) so that the raw payload and headers are preserved.

Questions:
• Does Cloudflare modify the webhook payload or headers in any way that might cause this signature verification error?
• If so, which approach is recommended to ensure that Stripe’s Stripe-Signature header and payload remain unaltered: allowlisting Stripe IPs or creating a Page Rule (or perhaps another method)?
• Are there any best practices or additional settings (e.g., disabling Rocket Loader, bypassing cache) that I should consider for endpoints receiving Stripe webhooks?

Any guidance or shared experiences would be greatly appreciated. Thank you so much.
nick.

Likely the request is just being blocked or challenged, check your security event log for the reason and then create a custom WAF rule to allow the request.
https://dash.cloudflare.com/?to=/:account/:zone/security/events

If the request is blocked by Bot Fight Mode on a Free plan, custom WAF rules won’t bypass. In that case you’ll need to add the list of IP addresses to IP Access Rules or disable Bot Fight Mode or use Super Bot Fight Mode on a paid plan which can be skipped by custom WAF rules.

thank you so much - this worked!!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.