Andrew Samir-security | Stripe Developers | Page 1

fickle wraith Oct 25, 2022, 1:46 PM

#

Hi 👋 we aren't security, but what are you looking for help with?

queen sigil Oct 25, 2022, 1:47 PM

#

Hi there
i am implementing stripe integration for payment intent with django and angular (using ngx-stripe library)
The process is as follow ... i create payment intent and pass the client secret to front end and use it to render the form ... so i wondering is there anyway to mask the client secret ?

#

i dont want the client secret to be visible in network requests .... + when i confirm the payment by stripe library the response is also not masked and visible in network

fickle wraith Oct 25, 2022, 1:51 PM

#

Are you using the network section of the browser's developer console to see those values?

queen sigil Oct 25, 2022, 1:51 PM

#

yes

#

It also can be visible in response in postman

fickle wraith Oct 25, 2022, 1:53 PM

#

That's expected, the endpoint where the information is being sent must be able to decrypt the https traffic and see the values within it. There is no way that I'm aware of to prevent that value from being visible. If you encrypted the value, then the decryption process would need to be available to your client-side code, meaning it's public and anyone could reverse it with enough effort.

queen sigil Oct 25, 2022, 1:54 PM

#

So waste of time masking them ?

#

As there could be some hacks to pay for a customer in stripe without his knowladge

#

using the data sent from the client_seret

fickle wraith Oct 25, 2022, 1:59 PM

#

If someone sniffed that information, they still wouldn't have any access to the payment method information as it hasn't been provided yet at that point of the process.

queen sigil Oct 25, 2022, 2:02 PM

#

if the admin has the customer payment method id

fickle wraith Oct 25, 2022, 2:07 PM

#

No, a Payment Method's ID cannot be provided when doing client-side confirmations. That can only be done server-side and would require your secret key.

Confirming with client-side code only accepts payment method information that is provided via Stripe Elements.

queen sigil Oct 25, 2022, 2:08 PM

#

I use confirmPaymentIntentByCardId method in my front end and pass payment method id so thats wrong and should be handled in backend by using stripe.PaymentIntent.confirm in backend ?

#

but btw the confirm payment response return the payment method id

fickle wraith Oct 25, 2022, 2:14 PM

#

I think the library that you're using may do things differently than our first-party libraries. When working directly with Stripe.js and Stripe Elements, confirming a Payment Intent client-side does not include that information.
https://stripe.com/docs/js/payment_intents/confirm_payment

Stripe JS Reference

queen sigil Oct 25, 2022, 2:17 PM

#

i think i use confirm card payment

#

https://stripe.com/docs/js/payment_intents/payment_method

Stripe JS Reference

#

as there

fickle wraith Oct 25, 2022, 2:24 PM

#

That is a good point, so I would recommend not disclosing the IDs of your Payment Methods.

#

You may also want to consider designing your flow to aggressively cancel any Payment Intents that you believe won't be used/completed, this can help mitigate the concerns that you have.
https://stripe.com/docs/api/payment_intents/cancel

If you're going to be confirming Payment Intents and providing a Payment Method ID, then I recommend doing that from your server-side code. To do this, your flow will need to be prepared to handle the scenario where a 3DS challenge needs to be completed which your client-side code would need to handle.

Stripe API reference – Cancel a PaymentIntent – curl

Complete reference documentation for the Stripe API. Includes code snippets and examples for our Python, Java, PHP, Node.js, Go, Ruby, and .NET libraries.

queen sigil Oct 25, 2022, 2:30 PM

#

If you're going to be confirming Payment Intents and providing a Payment Method ID, then I recommend doing that from your server-side code. To do this, your flow will need to be prepared to handle the scenario where a 3DS challenge needs to be completed which your client-side code would need to handle.

is there a similar flow as a reference ?

fickle wraith Oct 25, 2022, 2:39 PM

#

Before going too far down that path, I would recommend seeing if the library that you're using supports this approach as it is currently our recommended flow:
https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=elements

This approach is more similar to the one that I referenced, but there is a difference to consider:
https://stripe.com/docs/payments/save-and-reuse?platform=web#charge-saved-payment-method
In Step 7 off_session is set to true because in this scenario the customer is not present at the time of payment, you would omit off_session if your customer is present. You can then use handleCardAction to trigger the challenge flow if one is required:
https://stripe.com/docs/js/payment_intents/handle_card_action

Accept a payment

Securely accept payments online.

Stripe JS Reference

Set up future payments

Learn how to save card details and charge your customers later.

queen sigil Oct 25, 2022, 2:43 PM

#

Okay thank you very much
i have another question not related to this ... when making a payment and confirm it in frontend is there anyway to get the payment error message translated from stripe ?

fickle wraith Oct 25, 2022, 2:44 PM

#

When initializing stripe.js, you can specify a locale that will be used for localizing errors and other strings:
https://stripe.com/docs/js/initializing#init_stripe_js-options-locale

Stripe JS Reference

#Andrew Samir-security