Help Article

Ask the Community

Find answers or join the conversation in the Community Help Forum.

How do I modify Apache mod_security to accept incoming IPN requests?

Per RFC 2616 Section 14.43, the User-Agent header is a recommended, but not required, header for HTTP/1.1 communication requests. Because request header spoofing is trivial, it shouldn't be relied upon as part of a security validator.

To permit incoming IPN requests from notify.paypal.com, which doesn't supply the User-Agent header, change the mod_security config to accept all connections from *.paypal.com. To do so, add something similar to the following line before the line denying empty User-Agent headers:
   
SecRule REMOTE_HOST "\.paypal\.com$" "allow,log,logdata:'Permitting incoming connection from PayPal'"

This will permit incoming connections from the paypal.com domain, while allowing you to deny other connections that don't supply the User-Agent header.
We’re sorry, the page you’re looking for is no longer available. Please try your search again in our Help Centre if you have a question or want to contact us.