Is server -> api.stripe.com really necessary? (firewall)

  • Resolved maltfield

    (@maltfield)


    2 years, 5 months ago

    Is it a requirement of this software that my web server is able to initiate connections to api.stripe.com?

    For security reasons, my server’s firewall blocks my web server (apache) from initiating outgoing connections. This is further reinforced by the following line in wp-config.php

    define( ‘WP_HTTP_BLOCK_EXTERNAL’, true );

    As such, the above makes wordpress deny plugins calls to wp_remote_get() fail (via block_request() returning true). For example, wordpress will not allow WooCommerce to call-home to woocommerce.com. And wordpress will not allow WooCommerce Stripe Payment Gateway to call-home to api.stripe.com. Even if it bypasses this wordpress block, the server’s firewall would drop the network traffic and the request would fail (timeout). Most importantly, this means that Mallory will not be able to call-home to https://evil-c2.xyz if there’s a 0day in wordpress or one of my themes/plugins.

    Wordpress works fine with this setting, as it’s not actually necessary for my web server to initiate connections to www.ads-software.com

    WooCommerce works fine with this setting, as it’s not actually necessary for my web server to initiate connections to woocommerce.com

    I also accept payments in cryptocurrencies on my WooCommerce site, and that also works fine with these settings – as it send the *user’s* browser to the payment processor’s website — rather than trying to have my *server* initiate the connection.

    Note that my web server of course allows incoming connections, so web hooks from stripe to my server should work fine. I just block *outgoing* connections, for security reasons.

    After installing and configuring the “WooCommerce Stripe Payment Gateway” plugin, I get this error on checkout

    There was a problem connecting to the Stripe API endpoint.

    The error occurs after my server’s PHP tries (and fails) to reach the following locations:

    1. https://api.stripe.com/v1/sources/-src_<id-redacted&gt;
    2. https://api.stripe.com/v1/customers

    In both cases, wordpress blocked the call by returning true in block_request()

    I searched the documentation and poked-around in the Stripe settings, but I saw no info about this error, nor any requirements section that said it was necessary for the server to be able to reach api.stripe.com.

    I would expect there to be an option configure the plugin’s communication with api.stripe.com to be initiated by the client’s web browser, not my web server.

    My question is: is it actually a requirement of this plugin for my web server to be able to initiate connections to api.stripe.com? Or is there some way I can configure this plugin to have such connections be done through the client?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Shevene L. a11n

    (@envesh)

    Hi @maltfield!

    is it actually a requirement of this plugin for my web server to be able to initiate connections to api.stripe.com?

    Yes, the Stripe plugin uses the Stripe API and requires that you’re connected to it in order for it to work as expected. Using a firewall or any other setting to block that connection would present the error you’ve highlighted.

    Thanks.

    Thread Starter maltfield

    (@maltfield)

    Thanks for your response Shevene!

    It looks like “Stripe Checkout” provides what they call “client-only” support.

    * https://stripe.com/docs/payments/checkout

    It would be nice if this plugin supported Stripe Checkout in a “client-only” configuration.

    For more info, see this thread in the main WooCommerce plugin’s support forum:

    * https://www.ads-software.com/support/topic/stripe-integration-without-needing-server-communication-to-stripe-com-firewall/

    Plugin Support Fernando M. a11n

    (@fernmed)

    Hello!

    >It would be nice if this plugin supported Stripe Checkout in a “client-only” configuration.

    We appreciate the feedback! I’ll be happy to pass this along to our developers so they can review it. No guarantees that it can be adjusted in future releases, but, it certainly never hurts to ask. ??

    Enjoy your day ahead!

    Thread Starter maltfield

    (@maltfield)

    See also this thread for integrating Stripe Checkout. It’s been open since February 2019

    * https://github.com/woocommerce/woocommerce-gateway-stripe/issues/799

    Plugin Support Adam Heckler

    (@adamkheckler)

    @maltfield As you’ve found, this issue is being tracked on GitHub. You’re right though: there’s been no significant work done on this.

    We don’t direct the features our developers add unfortunately, so I can’t guarantee that Stripe Checkout integration will ever make its way into our plugin. If it does though, that GitHub issue will be updated.

    Since this is being tracked in the GitHub issue linked above, I’ll go ahead and close this thread out.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Is server -> api.stripe.com really necessary? (firewall)’ is closed to new replies.