Help Article

How do I modify Apache mod_security to accept incoming IPN requests?

Per RFC 2616 Section 14.43, the User-Agent header is a recommended, but not required, header for HTTP/1.1 communication requests. Because request header spoofing is trivial, it shouldn't be relied upon as part of a security validator.

To permit incoming IPN requests from notify.paypal.com, which doesn't supply the User-Agent header, change the mod_security config to accept all connections from *.paypal.com. To do so, add something similar to the following line before the line denying empty User-Agent headers:
   
SecRule REMOTE_HOST "\.paypal\.com$" "allow,log,logdata:'Permitting incoming connection from PayPal'"

This will permit incoming connections from the paypal.com domain, while allowing you to deny other connections that don't supply the User-Agent header.
We’re sorry. The page you’re looking for is no longer available. To search again or contact us, please visit our Help Centre.