Paypal IPN - Resonse Validation

Hello there!

I have migrated my server to Cloudflare. I’m using paypal ipn for my shop. It’s running on my own cms which works basically fine.

Now the problem starts as paypal works as reverse proxy server. Usually a response from paypal can be identified via host e.g “paypal.com” so you know it’s from the official pp site.

When running Cloudflare you always get the cf host and not paypal anymore. So you cannot confirm if the response came from paypal or any bad user. Result: you can easily fake paypal response and buy anything you want.

Is there any way to avoid this?

My code was like this:

// check if validation post is from paypal
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
if (!preg_match('/paypal.com$/', $hostname)) {
	return;
}

You need to rewrite the IP addresses on a server level

https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache

Though this kind of validation is not necessarily the safest. You better follow what Paypal documented at Introducing IPN

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.