If you get the error message “security header is not valid” when checking out at your site running Paid Memberships Pro, this is a PayPal error indicating that the API credentials are incorrect.


The list of PayPal error codes doesn’t say much on how to fix this.


What you need to do is:

  1. Make sure you’ve selected the correct Gateway Environment (Sandbox/Testing or Live).
  2. Make sure you are using the correct Account Email, API Username, API Password, and API signature for the environment you selected. (Your live and test API information will be different.)
  3. If in the test environment, make sure that you are logged into developer.paypal.com. This shouldn’t be required anymore but is worth a shot.
  4. Make sure that your web server is running up to date SSL/TLS software.
  5. Make sure you have a Site Title set in your WP dashboard General Settings.
  6. Try removing any special characters from your membership level names.

That should do it!


This entry was posted by Jason Coleman in General and tagged . Bookmark the permalink. Last updated: March 30, 2012. Titled Security Header is Not Valid

Comments (47)

Im using an old version, I need to patch a lot of stuff I looked at the diff file from my version to the latest and there’s a lot of changes. Particularly I’m interested in when an account is canceled, there was an if else statement that handled this before now it’s two separate if’s with a foreach statement in it. I have a separate table that handles other user-information. Have you changed anything with your database since 1.5.1? I don’t want to hit upgrade I just want to add my modifications to the code and re-upload the files.

Grosar, there have been DB updates since then. In general, it’s a good idea to use our hooks and filters to customize PMPro (get in touch if you need other hooks added) so you can upgrade the plugin without losing your customizations. We push updates out a lot and they often include important bug fixes or just cool new features you will want to have.

This advice is specifically for PMPro, but would generally work for OpenCart I’d assume. Just make sure you are using the correct API information, usernames, passwords, etc and that you are hitting the right URL (live or sandbox).

Hi Jason, I don’t receive these errors on the production environment. Only when trying the PP sandbox environment I get these. I’ll try to dig in under the covers and check what could be a cause.

Cheers.

Hi Jason,
I went into the site and re added the API data. I also made sure that my email was correct. The from email I was using had not been added into the cpanel. Once I corrected this all works OK now.

Thanks for the Post

Hi there – I’m still struggling with this. I’ve tried all of the steps above, but am still getting this error. If anyone comes up with any other soloutions, I’d be glad to hear them ..it’s driving me crazy!

To make things clear for future visitors:

For Production/Live, login to your real paypal account then head to:
* My Account > Profile
* My selling tools (on the left sidebar)
* API access > update
* then select option 2 for the API credentials

For Sandbox/Testing, login to http://developer.paypal.com then head to:
* Applications > Sandbox accounts
* Create a facilitator account for the API credentials
* Create a customer account then use that account when doing test purchases

ok, i figured it out: in my API-Username was a “+”, e.g. “user+ppapi”, this has to be url-encoded.
paidmembershippor doesn’t urlencode the API-Username, i think this is a bug.

I fixed it by saving the API-Username already url-encoded to the Database.

Thanks so much for that tip, it’s still a bug apparently with other plugins and helped me figure out why my credentials weren’t working.

Hi,

I tried all the steps above. Nevertheless, I am getting the error in the production mode on my website…

Any other tips?

I checked:
– Empty spaces in the api, username and signature
– SSL Seal code of comodo is implemented
– Tried in the maintenace mode of the page and online
– tried it with a new account
– I tried it also with paypal standart

Nothing works…

I’m in a similar situation; please help?

I’ve been a PMPro user for a while; recently we changed the password on our PayFlowPro account. Obviously, that made payments through PMPro stop working: I updated the credentials and password in PMPro and now credit card payments work again (they did not before) but attempting to check out with PayPal results in the “Security Header is Not Valid” error.

I’ve gone through all of the above steps. Is there something I’m missing?

There was an old error that came up if your PayFlow password had certain characters in it. We should account for this now, but to be sure you could try to reissue the PayFlow password and enter it again in the PMPro settings. Otherwise, we would need access to your site to debug further. You could sign up and post to the member forums.

Hey Jason and the PMPRO team i am having a hard time resolving the “Security header is not valid” error and its irking me 🙁
I have checked and counter checked based on all guidance on the forum and still can’t resolve it. I need to get this resolved please.
Appreciate your speedy response
Lola

I’ll look for your thread and if it’s still open, I’ll try to get it fixed up for you by EOD tomorrow. Make sure our team has all the access they might need to fully debug and fix on your site (WP admin, FTP/etc)

Enhancement request to assist with this situation.

Seems like the PMP UI could use some work related to this situation.

Currently, selecting Sandbox/Production leaves all other values as-is. This make it appear, you can just switch into sandbox mode + use production mode settings.

Seems like each mode should have it’s own settings, so switching between the two modes reflects credentials for each separate mode.

Help: I’ve just updated to 1.9.4.2 and my users are STILL experiencing this error when trying to check out using PayPal as the method of payment. Credit cards work fine (through the PayPal gateway), my SSL certificate is current, my PayPal API credentials are current & confirmed, I have a Site Title set and no unusual characters in my membership types. Everything worked in 1.9.2.2. I bought a Plus membership and wrote to you WEEKS ago about this and nothing- still urgently need help resolving this!

There are a number of factors around this error besides our code. Did you go through the list in the article? If you are still having the issue after that, we can help in the member forums.

Thank you for your reply. I went through the whole list in the article. I’ve made a post in the member forums and one of your reps is following up with me. Hoping we can get this resolved!

I finally ended up finding a way to resolve it myself.

In case this is helpful to others, I have documented my efforts.

Background:

We use PayFlow Pro for credit card payments, and we use the “PMPro Add PayPal Express” add-on in order to provide PayPal as a secondary method (primarily so we can issue and accept gift cards).

The “Payment Gateway & SSL” page in the dashboard of Paid Memberships Pro only shows the settings for the actively selected payment gateway (in our case, PayFlow Pro). The add-on uses saved settings for PayPal Express that can be stored via the same page of settings. This not very visibly documented, and the way to properly update those settings is not documented at all.

Our solution:

1. I temporarily switched the “Payment Gateway” in use to PayPal Express.
2. On that page, I cleared the API credentials fields, saved, re-entered the (unchanged) API credentials, and saved.
3. I switched the payment gateway in use BACK to PayFlow Pro.
4. On that page, I re-entered our PayFlow Pro credentials, and saved.

(variations on this sequence of steps seemed to result in OTHER errors).

To whoever maintains the code and documentation for the add-on: it may be worth noting this in the documentation for future versions in case other users encounter the same problem, or (ideally) providing some kind of admin hook to include the PayPal Express fields on the Payment settings page in addition to the fields for the active primary payment gateway.

Thanks for sharing your solution. I agree that we can do better on the UI for the settings here. We have long term plans for an overhaul of this, but maybe there is something we can do in the meantime to make things more clear.

I think this is a combination of poor instructions and poor UI. I would have never figured this out if not for davidfavor’s comment on the payment setting UI. Problem #1 is that for someone like myself that is new to setting up a payment gateway, I did not know I needed to use separate sandbox API credentials. Problem #2 is, like David said, that the UI is inadequate and does not provide the necessary clues as to what I might be doing wrong. The sandbox API settings should be saved in their own fields. Anyway, a bit more info in the documentation and a couple tweeks to the UI is going to save you a lot of support time.

Dear Jason.

I have switched payment gateway to Paypal Pro in order to accept payment without Paypal account, but we got error message: The merchant country is not supported.

It is mean, we are not allowed use Paypal Pro in Russia?

could you help me please, I am facing below issue with pay-pal pro credit card payment. When i my all details is correct.

Security header is not valid
(Transaction Error) something is wrong.

Thanks in advanced

Hi,
I have the header problem my host says they have
“The official version of cURL we use is 7.19.7 however it is a package provided by Red Hat so this will contain backported fixes and features.”

I have tried everything else on the things to do / check –

So question is does this account for the error ?
If so what course of action next ?

Thanks
Regards Malcolm

Hi there,

Sorry to hear that this error is still occurring! Would you kindly open up a support topic on our Member Support Forums so that we can take a closer look into this for you?

I used a modified spin-off of Insoc’s comment on 12/22/2017 .. when switching environment, saving with blank fields, then re-adding with live api creds .. no longer receiving ‘security header is not valid’ .. perhaps an added step to blogpost checklist 🙂 thanks! I also cleared cache, browser history to be sure

Leave a Reply

Your email address will not be published. Required fields are marked *