I am using Paypal for payments on my site and when someone successfully completes a purchase Paypal calls the notify_url that I specified and passes it some POST data. From POST I only use item_number and txn_id.
The URL that I am using for the notify_url is a public URL and anyone can visit it. How do I ensure that only Paypal can request this URL and everyone else is blocked?
Allow only POST, and implement the callback validation described in the IPN documentation.
As @EJP mentioned, sending the verification back to PayPal will allow you to validate that the data came from PayPal so that you know it's legitimate, but others could still hit the URL.
If you want to completely block them you could do that through your .htaccess file on your server (assuming you're running Apache) or using your firewall. You'll just need to block all traffic except for PayPal's IPN IP addresses.
64.4.248.8
64.4.249.8
173.0.84.40
173.0.84.8
173.0.88.40
173.0.88.8
173.0.92.8
173.0.93.8
