How Can i Hide Notify Url from html code i think it security issue
Closed this issue · 5 comments
I Want to hide notify URL from HTML code the notify URL type is hidden but if we view page source it shows the notify URL that had type hidden
but I think it a security issue
can I remove notify URL from HTML code, because if we view page source code it shows that notify URL
is it secure
do I need to remove the notify URL from HTML code?
if yes How Can I Do That?
is it safe?
If I remember correctly, there is a PayPal setting that allows you to specify the notify URL, and in that case you can omit notitfy_url.
However, there is no security issue - this URL should not be treated as a secret. If someone learns that URL, there is nothing they can do with it - if they send information to it, django-paypal will notice it is not genuine because it does a check with PayPal.
are you sure, I think it's a security issue because anyone can post data
because I see youtube video they said keep notify URL secret
Yes, anyone can post data, but that is true of every bit of your website that accepts POST data. The question is what you do with that data. django-paypal uses the standard PayPal mechanism to check that the data originated with PayPal.
Passing notify_url is the way it is supposed to work - see the PayPal docs - https://developer.paypal.com/docs/paypal-payments-standard/integration-guide/Appx-websitestandard-htmlvariables/#technical-variables
You should believe PayPal docs rather than youtube videos. The only reason you would need to keep the URL secret would be if the listener on that URL was not doing the required security checks, in which case you do have a huge problem. But django-paypal does do the required checks.
okay, so is it secure
should I need to close the issue?
I can close it.