How do you verify that the notification to the Silent Post URL is indeed from PayPal Payflow and not a hacker?

僤鯓⒐⒋嵵緔 提交于 2019-12-23 03:43:16

问题


Payflow supports a Silent Post URL, which is a page that will be notified upon completion of a successful transaction (payment, refund, etc...). The Silent Post URL can be configured via the PayPal manager.

Most similar payment systems implement the notion of a "post back" where the receiving software can post back the results to make sure that the transaction information is legitimate and not originating from a hacker. Payflow doesn't appear to support a post back and the Payflow Pro documentation doesn't mention any other way of verifying the transaction data received at the Silent Post URL.


回答1:


All valid PayPal notifications originate from 173.0.81.65. Simply ignore any notifications that don't come from this IP.

The answer is hidden away in the depths of the PayPal knowledge base: https://ppmts.custhelp.com/app/answers/detail/a_id/445. More information can also be found at https://ppmts.custhelp.com/app/answers/detail/a_id/883/kw/payflow%20ip%20address




回答2:


I have choosed different approach, by passing authentication token within my request to PayPal, which I validate after receiving POST request



来源:https://stackoverflow.com/questions/24148603/how-do-you-verify-that-the-notification-to-the-silent-post-url-is-indeed-from-pa

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!