Transfer csrf token to Stripe

Question

Transfer csrf token to Stripe

I use stripe.js for paid payments. I need to set up a wenhook callback to receive a request from the strip.

Since the webhook is sent in a strip - I marked it as csrf_excempt .

Is there any risk with this csrf_excempt ?
If I should have csrf protection on this view, how can I transfer and return csrf tokens from the strip?

+6

django csrf stripe-payments django-csrf

shabda May 20, '13 at 16:26

source share

3 answers

You may also consider using django-stripe-payments in the future.

+1

Patrick altman Aug 11 '13 at 1:17

source share

The accepted answer says that you cannot use the CSRF token with strip callbacks.

The recommended security approach in Stripe Webhook Documentation is to use the identifier from the incoming web check to send the request back to Stripe for complete event information.

0

Van gale Oct 17 '13 at 3:34

source share

Yuji 'Tomita' Tomita · Accepted Answer · 2013-05-20T18:07:21+0000

This will not work. Definitely disable csrf for callback from Stripe.

Even if you..

passed csrf_token to the strip
found a way to get the strip to post the same token back to your callback URL

At this point, the token will be irrelevant, as the token is only for your current browser session (usually a cookie).

A CSRF token is generated for each request and sent to the browser for storage in a cookie. Stripe will not have this cookie, and thus you will get the CSRF error the same way.

Transfer csrf token to Stripe

More articles: