#hassan_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1263105480646201406

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

hi there!

can you clairfy what exactly is your quesiton?

How do i prevent card testing. I am using a direct API connection to stripe

Sorry i just read that Stripe provide CAPTURE but only if i use Stripe Checkout and not API

I recommend reading this doc about card testing: https://docs.stripe.com/disputes/prevention/card-testing

if you have some specific questions, I'm happy to help

otherwise I recommend talking to https://support.stripe.com/contact

From the Support email, they said it looks like the attackers are using Client Secret to submit other cards. They recommend to make it more difficult to obtain Client Secret. But how is that possible when we have to pass this back to the browser

I'm guessing you are using the Payment Element ot accept payments?

yes thats right and also setup intent

you would need to find ways to limit the exposure of the client_secret. for example each of your users can only create up to N SetupIntent every hour. or add a captcha before rendering the Payment Element with the client_secret. things like this.