Two consecutive calls to socket.getaddrinfo aren't guaranteed to return the same info, depending on the system configuration. If the "safe" looking record TTLs between the verification lookup and…
again and again, this would only be for clients that opt in. not for everyone!
when deploying py requests in call script, it should validate the domain again before calling to protect from dns rebinding. also requests needs to have following redirections disabled.
at the moment when this is going to be rolled out into production, check all callback formats if they pass the new checks - whitelisting character and ports.
but the website probably won't be online forever, so for this use we could also go with changenow.io if the fees are same or lower.
people would lose these vouchers, and why would anyone buy vouchers if they can buy actual btc and keep it in their wallet. maybe too much coding for nothing.
small test result
Request Payload Status
32 https://example.com/?q=http://evil.com/redirect.php. 200
0 200
1 https://127.0.0.1/ 422
2 https://localhost/ 422
3 http://[::]:80/ 422
4 h…
- do not forget to use same values for allowed ports/schemes as production not to break something in future