When is it recommended to validate the paypal IPN?
Option 1 - Validate during the handler ipn post, then save and enqueue ipn if valid.
- Pros: An attacker can not fill your database by sending fake IPNs
- Cons:
- Requires a longer response time for ipn post since you need to make a web request to validate, before being able to respond with a 200 OK in the ipn handler
- An attacker can keep your web server busy trying to validate fake IPNs
Option 2 - Delay validation, save and enqueue ipn, respond with 200, then validate when processing the queue.
- Pros: Quick response to paypal IPN
- Cons: An attacker can fill your database by sending fake IPNs
Or do you do have something additional in place that avoids the problems of these two options?
Edit: I'm using the Paypal Adaptive Payments API, and am wondering what the recommended practice is while using that API.