#trokas_code

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1217063863657168927

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

hi! yep those query parameters are added so you can implement logic on your success page easier. What was your question exactly?

In my implementation I do not currently use these 2 parameters at all. I am using asp.net mvc web framework with c#. I also use Stripe in server side using nugget stripe.net. My problem is that return url exposes client info like payment intent client secret that in documentation say it should be hidden

it's not a problem really

if you have a specific attack you think that makes possible let us know. Those values are public overall

Are you sure about that?

https://docs.stripe.com/api/payment_intents/object

Here it says

The client secret of this PaymentIntent. Used for client-side retrieval using a publishable key.

The client secret can be used to complete a payment from your frontend. It should not be stored, logged, or exposed to anyone other than the customer. Make sure that you have TLS enabled on any page that includes the client secret.

yes I'm aware the API reference says that

I don't think having the client_secret of an already completed PaymentIntent be exposed to the customer(who already had it in their browser in the first place) and in your access logs(where the PaymentIntent is already completed and thus not much can be done with the client_secret) is a problem but I'm not part of the team who decided to add these things, definitely let us know if you think there's a possible attack here!

Ok I see your point and I believe the same too. But can I talk with another team member of yours, from the team that added these parameters, just to make sure, they wont make any harm, if they are exposed to the user?

you can open a support ticket at https://support.stripe.com/?contact=true sure but I'm not sure you'd get a different answer!