#Astrounder

Hi there

Hmm you are specifically looking for Stripe logs to that domain?

Hello bro 🙂

exactly

I would like headers logs for example.

Logs like this:

GET /v1/customers HTTP/2
Host: pay.mydomain.com
Authorization: Basic MY-APIKEY
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

or response http logs.

No that isn't possible for Stripe hosted pages.

hm.... and how could I improve my security audit from hostname hosted with stripe pages?

Is there any way?

Well we handle the security on those pages. So not sure exactly why you are concerned with them?

My concern is the following:
because stripe uses shared domains, stripe accepts any apikey on any hostname. And how will I know if they are using my domain pay.mydomain.com to query data from other companies?

Not 100% sure what you mean there but we do specify what data we collect and for what purposes in our privacy policy, terms of service, etc. We are fully compliant with the regulations of the countries we operate in

I'll explain it better: My concern is not with privacy issues, but with security.

Just for example:
Imagine you have a stripe custom domain called checkout.pompey.com
If I use my valid apikey on your domain for example: https://checkout.pompey.com/v1/customers I will receive data related to my users. Even if the request was made to your domain.

Your domain could be used by hackers to test leaked apikey, bruteforce, etc.

Oh are you talking about card testing with a public key? Where a bad actor takes a public key and client secret and tries to find legitimate card numbers with them? https://stripe.com/docs/disputes/prevention/card-testing

Almost that.
But taking into account that a hacker has a leak with several live apikeys.
He could use any domain that doesn't belong to him to test it without any control.
And if there was any identification of malicious activity, the stripe would blame the domain owner for the malicious requests.
Because at the end of it all, the stripe only validates if the apikey is valid and does not validate if the domain is related to the given apikey.

Which API key are you talking about?

With things like card testing we don't do with blame as far as I know.

And we actually have beta flows that get rid of the card testing attack vector by disabling the public key from being able to confirm client secrets

Sorry but i dont mean about credit card.
Let's get a test apikey even from the stripe itself. You will can use the same api in any custom domain page. With the same apikey.

Another thing I'd like to know: Is there a custom domain ban for malicious activity?

What API calls are you worried about it making specifically? Public keys are very limited in what they can make. They will need some action from your server/secret key to do much of anything