Is server -> api.stripe.com really necessary? (firewall)

Is it a requirement of this software that my web server is able to initiate connections to api.stripe.com?

For security reasons, my server’s firewall blocks my web server (apache) from initiating outgoing connections. This is further reinforced by the following line in wp-config.php

define( ‘WP_HTTP_BLOCK_EXTERNAL’, true );

As such, the above makes wordpress deny plugins calls to wp_remote_get() fail (via block_request() returning true). For example, wordpress will not allow WooCommerce to call-home to woocommerce.com. And wordpress will not allow WooCommerce Stripe Payment Gateway to call-home to api.stripe.com. Even if it bypasses this wordpress block, the server’s firewall would drop the network traffic and the request would fail (timeout). Most importantly, this means that Mallory will not be able to call-home to http://evil-c2.xyz if there’s a 0day in wordpress or one of my themes/plugins.

Wordpress works fine with this setting, as it’s not actually necessary for my web server to initiate connections to wordpress.org

WooCommerce works fine with this setting, as it’s not actually necessary for my web server to initiate connections to woocommerce.com

I also accept payments in cryptocurrencies on my WooCommerce site, and that also works fine with these settings – as it send the *user’s* browser to the payment processor’s website — rather than trying to have my *server* initiate the connection.

Note that my web server of course allows incoming connections, so web hooks from stripe to my server should work fine. I just block *outgoing* connections, for security reasons.

After installing and configuring the “WooCommerce Stripe Payment Gateway” plugin, I get this error on checkout

There was a problem connecting to the Stripe API endpoint.

The error occurs after my server’s PHP tries (and fails) to reach the following locations:

1. https://api.stripe.com/v1/sources/-src_<id-redacted&gt;
2. https://api.stripe.com/v1/customers

In both cases, wordpress blocked the call by returning true in block_request()

I searched the documentation and poked-around in the Stripe settings, but I saw no info about this error, nor any requirements section that said it was necessary for the server to be able to reach api.stripe.com.

I would expect there to be an option configure the plugin’s communication with api.stripe.com to be initiated by the client’s web browser, not my web server.

My question is: is it actually a requirement of this plugin for my web server to be able to initiate connections to api.stripe.com? Or is there some way I can configure this plugin to have such connections be done through the client?