stripe webhook route in api.php or web.php and exclude csrf

Hi,

Everything I've searched for seems everyone puts the route in web.php and excludes the csrf.

However all the awnsers are old and maybe thats how it needed to be done then.

Is there any reason or security risk to not just put the route in api.php and therefore no need to worry about csrf?

hollyit

6 years ago

Best Answer

Level 8

The only place you might have a problem is with Throttle, depending on how many webhooks you're listening too. Actually I started sometime back creating an entire webhooks route. I just create the group in my RouteServiceProvider and load a webhooks.php from /routes. I don't run any middleware on it by default, just adding what I need for each specific webhook (ie: webhooks/stripe gets the Stripe signature check MW). There's just no need for sessions or all the cookie stuff to run on your webhook routes.

1 like

Please or to participate in this conversation.