CSRF problems with Stackpath firewall protection
-
We recently switched our non-profit website to using StackPath at the advice of our hosting company. Several of the pages use the GiveWP plugin (version 2.8.0) with PayPal. We are actively soliciting donations on the page at https://www.guatsp.org/backyard-school/. Some users (but not all) are getting the following error from StackPath:
CRFT Verification Failed
https://www.guatsp.org is using a security service for protection against online attacks. An action has triggered the server and blocked your request.
Please try again in a few minutes. If the issue persists, please contact the site owner for further assistance.
I contacted our web hosting company with this issue. Their first action was to whitelist all PayPal IPs shown at https://www.paypal.com/us/smarthelp/article/what-are-the-ip-addresses-for-live-paypal-servers-ts1056. I’m not sure that made a difference as some donors (but not all) continued to get the error.
I then contacted PayPal support with this message:
Our website at guatsp.org uses WordPress with a Give plugin that allows users to make donations with PayPal. We recently installed a StackPath web applicaetion firewall. Some users (but not all) are making donations at get a message back from StackPath saying that their request didn’t complete. They get error messages like the one attached. This all used to work before adding StackPath. Some users do not get the error. Those that get the error are sometimes charged once and sometimes charged twice. Our web hosting company whitelisted in StackPath all the IP addresses listed at https://www.paypal.com/us/smarthelp/article/what-are-the-ip-addresses-for-live-paypal-servers-ts1056. But, some donors are still reporting this error. Please advise on how this can be corrected. The page where this is happening is https://www.guatsp.org/backyard-school/. There are other pages on the site that use PayPal payments with and without the Give plugin.
After waiting two days, their response was:
Thanks for contacting PayPal,
I am sorry to hear that,
Unfortunately, this is not a PayPal issue.
https://www.drupal.org/project/services/issues/2056281
Would you mind checking with your developer? Or maybe try to upgrade your browsers?
Following the links in their response suggested a problem with the GiveWP plugin, and our host is suggesting this, too. We got a license of the plugin by purchasing the Alone theme from https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939. So, I don’t know whether I should ask here, the GiveWP site or the theme vendor.
This is really frustrating. Donors don’t know whether their donations completed. Some are getting charged twice and notifying us, then we have to undo all that. Some visitors have no problem. We can’t reproduce the problem. Solving this shouldn’t take several hours of fruitless research, finger-pointing and days of waiting for answers.
Please advise on how to resolve this.
Thank you.
The page I need help with: [log in to see the link]
-
Happy to help, here.
This is one of those situations where it’s fairly easy to get stuck between a bunch of help desks who don’t want to live up to our name and “help.”
You’ve correctly isolated the problem here, and it’s that StackPath has added an additional layer in between your site (where GiveWP is coreeclty sending the calls to PayPal’s API) and PayPal where those API calls are being received.
PayPal wants to make sure that the calls originated from the same place, and StackPath being in the mix is causing issues.
If it worked before stackpath, then we know that GiveWP is not the issue here. As far as who can actually help, that’s likely going to be stackpath themselves.
The CSRF error from PayPal stands for Cross Site Request Forgery, and that means that a different site from the originating one is attempting to “forge” the signature of the original site. Since that’s a way that bad actors could create bots to steal money, it’s something that PayPal looks for.
But it’s also got to be something that StackPath takes into account, and has workarounds for.
There’s nothing we can do from the GiveWP side, but if the StackPath folks find a something we can do to play more nicely with their security solution, we’re happy to take a look.
- The topic ‘CSRF problems with Stackpath firewall protection’ is closed to new replies.
