Reputation: 4879
Check if legit PayPal HTTP notify_url request
I've been searching for some information about PayPal header information but can't find anything.
I'm trying to find a secure way to verify if the post information sent to my notify_url is in fact from PayPal itself.
I've checked the $_SERVER variable and not a single key similar to HTTP_PAYPAL that could tell me that the request is from PayPal.
The only thing close was the HTTP_USER_AGENT but it can be easily modified:
'HTTP_USER_AGENT' => 'PayPal IPN ( https://www.paypal.com/ipn )'
How can I instruct PayPal to return me some custom headers to validate the request?
Upvotes: 1
Views: 257
Answers (1)
Reputation: 8528
Paypal allows you to query the full POST against their servers to verify a transaction. Essentially you take the POST, append cmd=_notify-validate to it and contact Paypal. Paypal will reply with VERIFIED or UNVERIFIED
https://developer.paypal.com/docs/classic/ipn/gs_IPN/
Upvotes: 2
Related Questions
- Detecting request type in PHP (GET, POST, PUT or DELETE)
- How do I check if a string contains a specific word?
- Reference - What does this error mean in PHP?
- Paypal is not sending notifications
- Validate that IPN call is from PayPal?
- Paypal : trouble with ipn response
- Paypal IPN Verification from return_url is INVALID but from notify_url is VERIFIED
- Paypal IPN receiving via simulator but not via my site
- PayPal HTTP 1.1 and PayPal HTML Form