| I just would like to give my opinion on some of your points, which I don't agree with: > Looking at the documentation directly, what they advise you to do is kind of the worst idea they could come up with: https://stripe.com/docs/webhooks/signatures – you need custom logic[2] to verify that their MAC ("signature" they call it incorrectly) is valid and you need to configure a different secret for each of your endpoints It certainly help that I use their official SDK, but it's one line of code to add the signature validation. Also, I'm not sure why you would want to create a lot of endpoints to listen to these webhook. I simply have one, and the Stripe SDK helps me in determine the event type, its deserialization, etc. > Payment process information is such a vital business concern that "let's try to call them and if that fails... well we tried" is broken on principal alone That's not how it works. The webhooks keep retrying with exponential backoff until they succeed. You can also manually retrigger them for individual events. > The obvious approach is to have an event list which you as customer long-poll or just poll every few seconds if your framework doesn't support async well Nothing is preventing you to do that. In fact, in my codebase I do polling to the Stripe API as a fallback to check if payment is successful in case there are issues with webhooks. But it's nice to have the webhook telling you immediately if a payment fails/succeed, in order to give feedback to the user fast about the status of his payment (and not wait the next long polling iteration) Not everything on Stripe is perfect, but I do find it really pleasant to work with in general |
While what you say is correct, it doesn't apply to the problem Troy Hunt faced. What he needs is DDOS protection on his API. The request authentication Stripe provides is too complicated to be checked by the web application firewall.
The (edit:) pragmatic approach is to
a) not use webhooks or
b) let Stripe connect to you via HTTPS (to prevent replay attacks and leakage of the secret URI), give Stripe a secret URI, whitelist the secret URI in the WAF and verify the payload MAC via the official SDK.
> in order to give feedback to the user fast about the status of his payment (and not wait the next long polling iteration)
Nitpick: The long poll / Server Sent Event should respond immediately once there is new data available, so it should not be slower than the webhook.