Payment verification after the callback should not be considered recommended but rather mandatory, since you don't know who is actually making the callback request. Furthermore, the verification URL needs to use HTTPS, otherwise a man-in-the-middle attack can be used to tell the merchant the payment was a success even when it wasn't.
You are viewing a single comment's thread from:
Agreed that HTTPS is better
verification is using SSL but need to update my certificates since they block external requests for being selfsigned ;)
works just fine, but once your curl it, it's getting blocked. Should be resolved in max 24h from now.
you can get a letsencrypt certificate for this. dont pay for certificates from big corporations. letsencrypt is free and open!