Paypal IPN - Resonse Validation

maxchri.development · July 24, 2020, 11:01pm

Hello there!

I have migrated my server to Cloudflare. I’m using paypal ipn for my shop. It’s running on my own cms which works basically fine.

Now the problem starts as paypal works as reverse proxy server. Usually a response from paypal can be identified via host e.g “paypal.com” so you know it’s from the official pp site.

When running Cloudflare you always get the cf host and not paypal anymore. So you cannot confirm if the response came from paypal or any bad user. Result: you can easily fake paypal response and buy anything you want.

Is there any way to avoid this?

My code was like this:

// check if validation post is from paypal
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
if (!preg_match('/paypal.com$/', $hostname)) {
	return;
}

sandro · July 24, 2020, 11:11pm

You need to rewrite the IP addresses on a server level

https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache

Though this kind of validation is not necessarily the safest. You better follow what Paypal documented at Introducing IPN

system · August 9, 2020, 1:24pm

This topic was automatically closed after 14 days. New replies are no longer allowed.

Topic		Replies	Views
Paypal IPN isssue, how to allow Paypal IPN Security	8	2019	October 15, 2023
Will Paypal IPN work ok on June 30 - TLS 1.2 is required Security	2	2607	July 19, 2018
PayPal Support Getting Started dns , dash-ssl-tls , dash-getting-started	2	3398	June 3, 2019
Cloudflare masks request ip? DNS & Network dash-troubleshooting	4	2565	February 23, 2019
Paypal IPN shows HTTP response code 403 Delivery status Failed General	2	2433	September 20, 2022

Paypal IPN - Resonse Validation

Related topics