Preventing Replay Attacks
To prevent replay attacks, ensure that you check the timestamp included in the request and ignore webhook notifications with older timestamps. Here's how to do it:
Compare the timestamp provided in the PayNow-Timestamp
header with the current time. If the timestamp is significantly older than the current time (e.g., more than a few seconds or minutes), consider the request invalid and discard it.
You may also store the event_id
in your database and ignore any duplicate requests with the same ID. This is useful for ensuring that your server does not handle the same webhook twice.
Last updated
Was this helpful?