问题
I am using stripe.js for stripe payments. I need to setup a callback wenhook to receive the request from stripe.
Since the webhook is posted to by stripe - I have marked it as csrf_excempt.
- Is there any risk with making this view
csrf_excempt? - If I should have csrf protection on this view, how can I pass and get back the csrf tokens from stripe?
回答1:
That's not going to work. Definitely disable csrf for the callback from Stripe.
Even if you..
- passed the
csrf_tokento stripe - found a way to get stripe to post that same token back to your callback URL
The token would be irrelevant at that point as the token is for your current browser session only (typically a cookie).
The CSRF token is generated upon every request and sent to the browser to be stored in a cookie. Stripe will not have this cookie and thus you'll get a CSRF Error just the same.
回答2:
You might also want to consider just using django-stripe-payments in the future.
回答3:
As the accepted answer says there is no way to use CSRF token with stripe callbacks.
The recommended approach for security in the Stripe Webhook Documentation is to use the ID from the incoming webhook to send a request back to Stripe for the full event details.
来源:https://stackoverflow.com/questions/16653962/passing-csrf-token-to-stripe