Webhook Controller

The charge/webhook controller is accessed via Stripe callbacks, and is the primary way Charge get's information from the Stripe api about asynchronous events.

charge/webhook/callback
The primary callback endpoint. When configuring your Stripe account, this is the endpoint the web hooks will return to. The fully formed url, including domain is listed in your Charge > Settings > Callback page for you to copy to your Stripe dashboard.

CSRF Enabled If you've got CSRF enabled on your Craft install, you'll need to make a special exception for this endpoint. We can't do this directly for you because CSRF checks run before any of the craft code runs.

Bypassing CSRF Protection for the Webhook Callbacks

To bypass CSRF protections for the web hook endpoint you'll need to make an adjustment to your config/general.php file.

In your general config, where you're currently enabling csrf protection like :

return array(
    'enableCsrfProtection' => true
);

You'll need to modify this to be :

return array(
    'enableCsrfProtection' => (!isset($_REQUEST['PATH_INFO']) || $_REQUEST['PATH_INFO'] != '/actions/charge/webhook/callback'),
);