Keep your payments secure.
To make sure nobody can interfere with your payments (or find out about your private API key) always stick to the following rules.
Since there is no guarantee an event has actually been sent by the Unzer API, you should always fetch the resource using the SDK. This way you make sure a hacker can not inject a false payment state into your shop.
In addition, there is no guarantee the events arrive in the same order they have been sent in. Fetching the resource to an event always gives you the latest state.
A hacker could send an event with a
retrieveUrl which contains his own domain, to spy out your private key or to return fake data to make you believe a payment has been completed when it actually has not.
To retrieve the resource from an event and make sure nobody can feed you false data, use the
fetchResourceFromEvent(...) method. This method omits the manipulatable domain and just uses the path to the corresponding resource, making sure you are calling a safe Unzer domain.