Open loicginoux opened 1 year ago
waiting-for-dev
commented
1 year ago Thanks, @loicginoux. I hadn't thought about that, and having an extra layer of security is good. Although, technically, as we're checking the event signature, we should be safe.
loicginoux
commented
1 year ago I'd say that's not a must have for the first release but still necessary. Checking signature is not enough if an employee steal the api key and send events to your webhook endpoints making it like it's coming from Stripe.
Desired Behavior
events received via webhooks should verify that it's coming from a Stripe server for security reason before processing/handling it. https://stripe.com/docs/ips