zleb | Stripe Developers | Page 1

worthy thistleBOT May 4, 2023, 7:54 AM

#

cosmic geode May 4, 2023, 7:55 AM

#

hello! can you elaborate in more detail what does the plugin script do?

worthy thistleBOT May 4, 2023, 7:59 AM

#

long dragon May 4, 2023, 8:07 AM

#

it gets info from the screen such as currency, amount then passes it to the payment intent w/ ajax call (we are using a proxy so that SK is hidden)

#

then in the same script we initialize a web form now using a Stripe instance with the public key

random hedge May 4, 2023, 8:08 AM

#

As long as the secret key is not exposed to your client/front-end at all

long dragon May 4, 2023, 8:10 AM

#

great to know! i was worried since the samples show that server must be involved but the purely frontend solution with checkout links is also not feasible from our side.

random hedge May 4, 2023, 8:12 AM

#

Well, a secret key should only be used server-side yes

#

Hence my 'don't expose on the front-end' remark

#

I don't really understand the architecture you're describing

long dragon May 4, 2023, 8:16 AM

#

it's a plug-in JS file that is called when user initiates a payment

random hedge May 4, 2023, 8:17 AM

#

If it's client-side JS that runs in the browser then you shouldn't include your secret key(s) no

long dragon May 4, 2023, 8:18 AM

#

it is hidden by a proxy URL that we are using, so the secret key is not visible in the script

random hedge May 4, 2023, 8:20 AM

#

Yeah I don't really understand what you mean. That 'proxy' URL is still running in the browser and is still theoretically accessible and exposing your secret key, right?

long dragon May 4, 2023, 8:22 AM

#

it doesn't show in the request headers anymore, but we set it somewhere in the application

random hedge May 4, 2023, 8:23 AM

#

What is 'application'? Is it running in the browser client-side?

#

If i inspect the source of your page, am I likely to see the sk_xxx value?

long dragon May 4, 2023, 8:24 AM

#

yeah...it can be set by the merchant in the web application when they have their own SK

random hedge May 4, 2023, 8:25 AM

#

Then no, you shouldn't do that

#

What are you trying to build exactly? We generally discourage plugins collecting API keys from users

long dragon May 4, 2023, 8:28 AM

#

this is for an existing ERP application used by merchants...the plugin script is because we wanted to have to choose between different payment gateways

#

we've done it with another provider previously now we are trying to do it with stripe

#

but yeah the amount can be seen in the request payload

random hedge May 4, 2023, 8:30 AM

#

I don't really understand enough about the architecture/design of your plugin, but any client-side code that exposes a secret key is a security threat

long dragon May 4, 2023, 8:31 AM

#

alright thanks, i'll raise this one with the team

random hedge May 4, 2023, 8:32 AM

#

If a malicious user intercepts a secret key of one of your users it could be catastrophic as it would essentially grant them complete access to their Stripe account

#

An alternative to maybe consider would be a restricted key: https://stripe.com/docs/keys#limit-access

API keys

Use API keys to authenticate API requests.

#

But still not perfect. If you're collecting any kind of keys from users as a part of your plugin then it needs to be done in a server environment where it cannot be intercepted

#zleb