Preventing Replay Attacks

To prevent replay attacks, ensure that you check the timestamp included in the request and ignore webhook notifications with older timestamps. Here's how to do it:

Compare the timestamp provided in the PayNow-Timestamp header with the current time. If the timestamp is significantly older than the current time (e.g., more than a few seconds or minutes), consider the request invalid and discard it.

We recommend ignoring webhook requests older than 5 minutes. Use Network Time Protocol (NTP) to make sure that your server's clock is accurate.

You may also store the event_id in your database and ignore any duplicate requests with the same ID. This is useful for ensuring that your server does not handle the same webhook twice.

Last updated

Was this helpful?