To prevent any vulnerabilities, starting from March 29, 2025, we will block all Preferences that use the HTTP protocol by returning a 400 error invalid_back_urls, as described in the documentation.

This new validation will be applied to both back URLs and URLs provided for receiving notifications, so you should pay attention to the following fields in the contract (JSON):

• back_urls
  
• notification_url

In cases where the notification_url has been configured before creating the preference through the Developer Panel, you must also update it to ensure it is not affected and to keep receiving notifications normally.

Don’t forget: the deadline for updates is until March 28, 2025. After this date, the general blocking of HTTP usage will be implemented.

Important: the blocking will only apply to URLs that use HTTP; other protocols such as HTTPS, FTP, and others will continue to function normally.

Don't wait until the last minute. Update your application as soon as possible to make it even more secure!