benji6456 | Stripe Developers | Page 1

foggy talonBOT Jul 10, 2023, 6:39 AM

#

unborn raptor Jul 10, 2023, 6:39 AM

#

Any guidance or recommendations you can provide on this matter would be greatly appreciated.

earnest ermine Jul 10, 2023, 6:41 AM

#

Hi there, it looks like you want to know how Stripe handles security https://stripe.com/docs/security

Security at Stripe

Learn how Stripe handles security.

unborn raptor Jul 10, 2023, 6:54 AM

#

My main point is that behind the hosted-invoice-urls the credit card information of the client is autofilled in your form.
So in a worst case scenario where those hosted-invoice-urls we save in our database get stolen (e.g. possible future security bugs)
these urls could technically be scraped by the attacker and the credit card info is stolen.

We tried to turn off this behavoir in the stripe settings, but it seems like this is not an option provided by stripe.

earnest ermine Jul 10, 2023, 6:56 AM

#

Can you elaborate more on the card information auto-fill behaviour, are you talking about saving cards information in a browser? https://support.google.com/chrome/answer/142893?hl=en&co=GENIE.Platform%3DDesktop

Fill out forms automatically - Computer - Google Chrome Help

You can let Chrome fill out forms automatically with saved info, like your addresses or payment info. When you enter info in a new form online, Chrome might ask you if you’d like Chrome to save it.

unborn raptor Jul 10, 2023, 7:01 AM

#

so after creating an invoice, we save invoice information provided by the stripe api webhook to our database;
it contains for example this hosted-url, where the user can do the online payment:
https://invoice.stripe.com/i/acct_1MuiU9GnwTOqhusG/test_YWNjdF8xTXVpVTlHbndUT3FodXNHLF9PRVUwMkNNV3M0YTRwVHNJTUtSMHE1UklIQWFKTzdtLDc5NDYzMDg10200AaSitpxT?s=ap

as you can see, my saved credit card details are displayed to you (to anyone who accesses this url).
This is my concern.

#

Autofill is mabye the wrong statement here. It is completly rendered by stripe

earnest ermine Jul 10, 2023, 7:05 AM

#

I see. these are some test credit card numbers that pre-filled ONLY test mode, so that you can just click on the Pay button to complete the test.

#

You won't see them pre-filled in live mode.

unborn raptor Jul 10, 2023, 7:06 AM

#

Ah wow super. that solves this problem. I was thinking live mode and test mode are completly identical in their behaviour

earnest ermine Jul 10, 2023, 7:07 AM

#

You can create an invoice in live mode and check its behaviour.

#

Thanks for your feedback. I'd bring back to the relevant team and see how we can make the product better

unborn raptor Jul 10, 2023, 7:11 AM

#

Okay we will do this.
So I assume it is still possible to delete "test-data" in live mode?
We have worked only in test-mode until we are ready and have our platform being opened to the public - then we would switch our api keys with live mode.

earnest ermine Jul 10, 2023, 7:14 AM

#

You can delete a draft invoice, once an invoice is finalized, you can't delete it but you can void it.

#benji6456