Introduction

When Cloudflare WAF blocks Stripe webhooks, payments may succeed on Stripe's side while your application never receives the events it needs to update orders, subscriptions, or invoices. That creates confusing downstream failures because checkout can look healthy to the customer while your backend stays out of sync. The safe fix is to identify the exact blocking rule and allow only the webhook traffic you actually need.

Symptoms

  • Stripe events show delivery failures or repeated retries
  • Orders, subscriptions, or invoice states stop updating after successful payments
  • The webhook endpoint works when bypassing Cloudflare but fails on the public hostname
  • The issue started after enabling a new WAF rule, bot control, or custom firewall expression
  • Cloudflare logs show webhook requests challenged, blocked, or rate limited

Common Causes

  • A managed WAF rule flags Stripe webhook payloads or headers as suspicious
  • Bot or abuse controls challenge machine-to-machine requests that cannot complete a browser flow
  • Rate limits or path rules are too broad for webhook delivery patterns
  • The webhook endpoint shares hostname protections intended for interactive users only
  • The origin validates webhooks correctly, but Cloudflare blocks the request before it gets there

Step-by-Step Fix

  1. Confirm Stripe is delivering to the expected hostname and path, and collect the failed event details from Stripe's dashboard.
  2. Review Cloudflare security events for the exact webhook requests to identify which rule, product, or expression is blocking them.
  3. Verify the webhook path does not sit behind interactive controls such as challenges or browser-based bot checks.
  4. Create the narrowest possible exception for the Stripe webhook endpoint instead of relaxing protection for the whole site.
  5. Keep origin-side Stripe signature validation in place so Cloudflare exceptions do not become your only control.
  6. Check rate limits and firewall expressions that might match Stripe retries or bursts during event replay.
  7. Re-send a failed webhook from Stripe after the rule change and confirm the application processes it successfully.
  8. Audit downstream order or billing gaps created during the incident and replay missed events where needed.
  9. Document the webhook protection model so future WAF tuning does not silently break payment event delivery again.