Craft CMS Asked by Britchie on December 15, 2020
I could not find any documentation on the ‘Webhook Signing Secret’ used in Commerce Settings > Gateway > Stripe Gateway. Can someone tell me what this is, what it’s used for and typically what I should be entering as a value? Not sure if this is even required? References or insight most appreciated.
Webhooks are like callback events. Basically when something happens on Stripe's side (eg a new customer created, a trial subscription cancelled, etc.) your application can get notified as well and take the appropriate action.
They're less useful when your application controls that entire process but in the case of subscriptions, let's say the customer's card declines after month 2. You definitely want to get notified when that happens and take the appropriate action since Stripe is taking care of those payments.
A webhook signing secret is optional but it's basically a signature for verifying that whatever webhook Stripe is sending is legit. Stripe uses a secret key that Commerce can use to verify that Stripe was the really author of that webhook call which can help prevent things like replay attacks.
It's less useful in the case of smaller applications but if you're building something with Stripe Connect where multiple users can authenticate, get payouts, etc. it becomes essential.
In the case of security, nothing is ever binary. Much like CSRF protection, you want layers of an onion and signing secrets provide another layer of protection.
Answered by RitterKnight on December 15, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP