8

I am using stripe.js for stripe payments. I need to setup a callback wenhook to receive the request from stripe.

Since the webhook is posted to by stripe - I have marked it as csrf_excempt.

  1. Is there any risk with making this view csrf_excempt?
  2. If I should have csrf protection on this view, how can I pass and get back the csrf tokens from stripe?
shabda
  • 1,668
  • 1
  • 18
  • 28
  • This is exactly what CSRF token is there to prevent. – Bibhas Debnath May 20 '13 at 16:31
  • Take a look [here](http://bryanhelmig.com/20-minutes-with-stripe-and-django/) – Mounir May 20 '13 at 16:49
  • @Mounir: This doesn't use stripe.js - we don't want to post the data to our servers. Too many PCI compliance hassles. – shabda May 20 '13 at 17:18
  • @Bibhas: A csrf_token is a shared secret between you and your user. Passing it to third party isn't a good design either. – shabda May 20 '13 at 17:27
  • Can you add {% csrf_token %} in your form and try if it work ? This inject an input hidden that contains the csrf token. – Mounir May 20 '13 at 17:29
  • 1
    @shabda but you're planning to pass your token to a 3rd party. And even if you do, it wont matter because of what Yuji answered anyway. – Bibhas Debnath May 20 '13 at 19:50

3 Answers3

9

That's not going to work. Definitely disable csrf for the callback from Stripe.

Even if you..

  • passed the csrf_token to stripe
  • found a way to get stripe to post that same token back to your callback URL

The token would be irrelevant at that point as the token is for your current browser session only (typically a cookie).

The CSRF token is generated upon every request and sent to the browser to be stored in a cookie. Stripe will not have this cookie and thus you'll get a CSRF Error just the same.

Yuji 'Tomita' Tomita
  • 115,817
  • 29
  • 282
  • 245
1

You might also want to consider just using django-stripe-payments in the future.

Patrick Altman
  • 890
  • 8
  • 10
1

As the accepted answer says there is no way to use CSRF token with stripe callbacks.

The recommended approach for security in the Stripe Webhook Documentation is to use the ID from the incoming webhook to send a request back to Stripe for the full event details.

Van Gale
  • 43,536
  • 9
  • 71
  • 81