Help Article

Before June 30th, 2018 PayPal is requiring all account users to update their browsers to remain compliant with new security standards. You won't be able to access your PayPal account after June 30th if your browser isn’t updated. Learn how to upgrade your browser.

How do I modify Apache mod_security to accept incoming IPN requests?

Per RFC 2616 Section 14.43, the User-Agent header is a recommended, but not required, header for HTTP/1.1 communication requests. Because request header spoofing is trivial, it shouldn't be relied upon as part of a security validator.

To permit incoming IPN requests from notify.paypal.com, which doesn't supply the User-Agent header, change the mod_security config to accept all connections from *.paypal.com. To do so, add something similar to the following line before the line denying empty User-Agent headers:
   
SecRule REMOTE_HOST "\.paypal\.com$" "allow,log,logdata:'Permitting incoming connection from PayPal'"

This will permit incoming connections from the paypal.com domain, while allowing you to deny other connections that don't supply the User-Agent header.
We’re sorry. The page you’re looking for is no longer available. To search again or contact us, please visit our Help Centre.