Stripe Webhooks blocked by Cloudflare

Hey there,
I’m implementing Stripe Checkout on my website.
Everything is working fine, except Cloudflare blocking the webhook stripe is sending to validate a transaction.

I’ve realized this issue while pausing cloudflare on my website : I receive webhooks only when cloudflare is paused.

I’ve created two page rules with a disable security on my webhook url.

And also added a Firewall rule to register stripe Webhooks IP addresses :

I’m stuck right here, with the great frustration of something working, but not fully because of this issue…
Any ideas on how to handle this?

2 Likes

Can you add the stripe IP addresses, with an action simply of “Allow”. Then ensure that firewall rule is the first one in the list of any rules you have.

What I sometimes do if I can’t get a full list of IP addresses for such a service, is to instead whitelist the URI of the webhook endpoints. This does expose your site to attack via those endpoints, but it’s probably unlikely to happen.

1 Like

Thx for that answer Gareth,

I’ve tried the Allow and first rule, but still doesn’t work.

What do you mean by whitelist the URI webhook endpoints?

So add a firewall rule like the below:

Change “/stripe/endpoint.asp” to the URI that Stripe connects back to on your website. You might need to add more than one URI using an “OR” condition. If you’re not sure what these URIs are, consult the Stripe documentation, or in your account go to Firewall > Overview and find the entries where Stripe is being blocked. You can then probably figure out the URIs from there.

Remember to make this firewall rule one of the first in the list.

Hope this helps.

1 Like

Thx Gareth, gonna give it a try and follow up :wink:

I’ve done the manip using my webhook link : https://everycars.co/u/webhook.php and also added the URLs used by stripe :
api.stripe.com
checkout.stripe.com
files.stripe.com
js.stripe.com
m.stripe.com
m.stripe.network
q.stripe.com

Still not working…

If you’re using Firewall Rules, then this implies there’s something in the Firewall Event Log that’s showing the blocked access. Have you found the relevant entries?

2 Likes

As Sdayman said, what does the Firewall event log show? Can you see the requests from Stripe in there? Are they allowed or blocked? If blocked, which rule is listed as being triggered?

I also notice that the webhook link you posted is returning a 400 Bad Request error and in the source code it says, “Undefined index: HTTP_STRIPE_SIGNATURE” - may or may not be related to your issue.

1 Like

Something like this?

1 Like

Are there any where the action is Blocked?

1 Like

Nope in this list, everything is on Allow
I don’t understand anything…

In that screen above, click “+ Add filter” and add a condition to only show blocked requests. Then see if any of them are the Stripe Webhook URL

1 Like

Nothing blocked here :cold_sweat:

The stripe team is telling me about asking : what is it in my configuration that is causing a 307 redirect when sending POST requests to my endpoint, and how can I ensure that it returns a 200 OK (i.e., the server response) instead

If nothing is shown as blocked, then Cloudflare isn’t blocking the request.

Are you able to examine the log files on your origin server to see if the requests are appearing there, and what the HTTP status code is?

Yep, I can see the logs on my server, but only the ones which have a 200 code, I assume the other ones are intercepted by cloudflare before arriving on my server

So can you do a test payment, and see if a successful 200 entry (or some other status code) appears in the log on your server?

1 Like

When cloudflare is paused: YES
When cloudflare is actived: NO
This is what tells me something is wrong with cloudflare…

When Cloudflare is activated and you make a test payment and don’t see an entry in the log at your origin server, what does the entry say in the Cloudflare Firewall event history? Can you confirm an entry appears there with an action of “allow” at the precise time of you placing the test payment?

Ok, I’ve done this exact test :

  • Cloudflare activated
  • Test payment processed on stripe
  • Webhook sent from stripe to my endpoint
  • Requests from stripe failed
  • Cloudflare firewall entries appearing (see picture)

This is the missing piece. We’d really need to see the failure message.

This thread takes a pretty deep dive on the subject: