Paypal IPN - Resonse Validation

maxchri.development · July 26, 2020, 1:23pm

Hello there!

I have migrated my server to cloudflare. I’m using paypal ipn for my shop. It’s running on my own cms which works basically fine.

Now the problem starts as paypal works as reverse proxy server. Usually a response from paypal can be identified via host e.g “paypal.com” so you know it’s from the official pp site.

When running cloudflare you always get the cf host and not paypal anymore. So you cannot confirm if the response came from paypal or any bad user. Result: you can easily fake paypal response and buy anything you want.

Is there any way to avoid this?

My code was like this:

// check if validation post is from paypal
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
if (!preg_match('/paypal.com$/', $hostname)) {
	return;
}

sandro · July 25, 2020, 10:51am

You need to rewrite the IP addresses on a server level

Though this kind of validation is not necessarily the safest. You better follow what Paypal documented at https://developer.paypal.com/docs/api-basics/notifications/ipn/IPNIntro/#ipn-protocol-and-architecture

system · August 9, 2020, 1:24pm

This topic was automatically closed after 14 days. New replies are no longer allowed.