#pure_auth-stripejs

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• pure_docs, 6 days ago, 8 messages

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1239666488298704897

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

I'm not finding a doc that says we use mTLS specifically but am still looking in to it and will get back with what I can find.

The doc I linked includes the mTLS part I'm referring to

Sorry in Stripe.js

I think that made it more unclear. I am not seeing a doc that says specifically mTLS specifically for Stripe.js (or I guess connect.js in this case)

Also, another question when you get a chance: do you know why Apple Pay/Stripe requires the domain be verified? Is it used for security purposes somewhere? Looking to get more context into that.

That is a requirement from Apple themselves, I beleive it is security related but basically they don't support their button on unverified domains, so we have to require that verification as well

I am still having trouble looking in to this mTLS aspect. We definitely use TLS because that is a part of HTTPS. Is there a un underlying question behind asking whether we use mTLS specifically?

Yeah

I was just wondering what security practices are used by Stripe for client-side communication

Is it just TLS and that it's behind an iframe?

It looks like we don't use mTLS for Stripe.js. Using iframes and TLS are definitely two of the big ones I'm aware of, we also have passive fraud signals that Stripe.js though that is a different kind of protection.

Is there somewhere I can read more about the Stripe.js iframe? Looking to learn more about the security practices there.

It looks like we don't have an official doc on that unfortunately. Is there a specific aspect of iframe security that I can help look in to? Or just trying to get a general understanding?

Just a general understanding

Gotcha, unfortunately I'm not finding a doc on that. There are good guides on places like MDN that talk about things like how iframes can be used to segregate access to data, but I'm not finding anything that specifically talks about Stripe.js

Do you know if there is any type of authentication scheme Stripe.js uses for API calls?

Hi 👋

I'm stepping in as my colleague needed to go.

👍 Thanks.

Unfortunately we cannot really go into deep dives around auth practices of Stripe.js here.

I can see the encryption and TLS headers in the request sent from my test site (inspecting the request headers from a payment intent confirimation), but I do not have the expertise to dig into the specific auth methods

If this was something you really needed to know in order to proceed with an integration, then I recommend reaching out to Support (or any Stripe contact you may have) to get a breakdown of how we keep your information secured https://support.stripe.com/contact

Otherwise, I'm afraid I won't be able to help much beyond that.