Validates callback URLs before they are registered with Safaricom.
Safaricom's servers call these URLs on payment events. Rejecting unsafe values at the library boundary reduces server-side callback SSRF risk when URLs come from multi-tenant input or compromised credentials.
Configuration
config :daraja,
environment: :production,
validate_callback_urls: true,
allowed_callback_hosts: ["myapp.com", "api.myapp.com"]:validate_callback_urls— whenfalse, validation is skipped in:sandboxonly. Production always validates.:allowed_callback_hosts— when set, the URL host must match an entry exactly or be a subdomain of one. Omit to allow any public hostname.
Rules
- Production requires
https://. Sandbox also allowshttp://. - Literal private, loopback, link-local, and metadata addresses are rejected.
- Known metadata hostnames (for example
metadata.google.internal) are rejected.