I recently noticed this warning while scanning the Stripe documentation:
You can use the client secret to complete the payment process with the amount specified on the PaymentIntent. Don’t log it, embed it in URLs, or expose it to anyone other than the customer. Make sure that you have TLS on any page that includes the client secret.
A web app I run has been appending the client secret along with the payment intent ID to the payment confirmation page (i.e. redirect URL) ever since I first integrated it, without any modification from me as far as I can remember, so I've always assumed the integration was designed to be this way until I read this warning.
Is it safe for the client secret to be in the redirect URL?
source https://stackoverflow.com/questions/76017285/is-it-safe-for-the-stripe-client-secret-to-be-in-the-redirect-url
No comments:
Post a Comment