#frisbee - Checkout Abuse

Hello! It sounds like the bots are hitting the Stripe API directly, not using the Checkout UI. That's why you can't reproduce.

Even though in the logs, the "Origin" is https://checkout.stripe.com/?
Hrm... the bot is constantly doing these request which causes our account to go over the Stripe Rate Limit.
Any advice on how I can prevent this?

Yes, the origin can be spoofed by the bots. You can't prevent this unfortunately, but the rate limits are designed to prevent this behavior from causing harm. Is this something that happened in the past or something that is currently happening?

This happened 2 days ago. Because so many bogus request that the botnet was doing, we hit the Stripe Rate Limit.
That meant legit customers could not checkout and the webhook on legit transactions weren't getting through

Even though the amount of bogus request has dropped and we no longer hit the limit but i still see the same bogus request constantly in our logs -- even at this very moment

According to our dashboard on https://dashboard.stripe.com/developers
before this week, we rarely get any failed API requests. But 2 days ago, we see it in the thousands.

Are the bogus requests causing any problems right now?

Not at this moment

Have you reached out to Stripe support about this yet?

Yup. Several times.

3 separate people emailed me from Stripe support with something like...
"I'm going to escalate this to a specialist to get more detail on exactly how you can best address this issue, and we'll be in touch as soon as possible with next steps"

That was about 2 days ago and I haven't heard back from them...

I think the best thing to do is wait for replies from support. The bots are attacking Stripe, so this is something Stripe needs to deal with.

Gotcha.