To prevent replay attacks, ensure that you check the timestamp included in the request and ignore webhook notifications with older timestamps. Here's how to do it:
Compare the timestamp provided in the PayNow-Timestamp header with the current time. If the timestamp is significantly older than the current time (e.g., more than a few seconds or minutes), consider the request invalid and discard it.
We recommend ignoring webhook requests older than 5 minutes. Use Network Time Protocol (NTP) to make sure that your server's clock is accurate.
You may also store the event_id in your database and ignore any duplicate requests with the same ID. This is useful for ensuring that your server does not handle the same webhook twice.
