问题
Payflow supports a Silent Post URL, which is a page that will be notified upon completion of a successful transaction (payment, refund, etc...). The Silent Post URL can be configured via the PayPal manager.
Most similar payment systems implement the notion of a "post back" where the receiving software can post back the results to make sure that the transaction information is legitimate and not originating from a hacker. Payflow doesn't appear to support a post back and the Payflow Pro documentation doesn't mention any other way of verifying the transaction data received at the Silent Post URL.
回答1:
All valid PayPal notifications originate from 173.0.81.65. Simply ignore any notifications that don't come from this IP.
The answer is hidden away in the depths of the PayPal knowledge base: https://ppmts.custhelp.com/app/answers/detail/a_id/445. More information can also be found at https://ppmts.custhelp.com/app/answers/detail/a_id/883/kw/payflow%20ip%20address
回答2:
I have choosed different approach, by passing authentication token within my request to PayPal, which I validate after receiving POST request
来源:https://stackoverflow.com/questions/24148603/how-do-you-verify-that-the-notification-to-the-silent-post-url-is-indeed-from-pa