Guillaume-client_secret | Stripe Developers | Page 1

dim elm May 4, 2022, 4:23 PM

#

Hi there, yes this is fine.

lucid shell May 4, 2022, 4:24 PM

#

Ok great. This means I can still give the customer a status report even if their session has timed out.

#

You guys rock! And thank you for being available here for questions!

dim elm May 4, 2022, 4:26 PM

#

Happy to help!

lucid shell May 4, 2022, 4:34 PM

#

Related security question: could someone iterate through client_secrets on my return_url page to try and leak info? Or will your api throttling catch this and make it unworkable?

dim elm May 4, 2022, 4:36 PM

#

They could potentially hit rate limits, but it is possible that they could do this to some extent. However, the client_secret really can only be used to complete a payment, so it won't have a lot of sensitive information that can be accessed with it.

lucid shell May 4, 2022, 4:38 PM

#

Yeah, the receipt_email seems to be the only thing really.

#

The question is then do I want to be as secure as possible and only rely on session data...

#

But that means if the customer takes a while to checkout, they wouldn't get a confirmation page.

#

or I can just auth the url... sorry, thinking out loud, I'll figure something out, thanks again for your help! 🙂

dim elm May 4, 2022, 4:45 PM

#

No problem, it is a legit question. We don't think it is bad practice to have client_secret in the URL. We actually make reference to it being a query param in our docs: https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=elements#web-submit-payment

Accept a payment

Securely accept payments online.

lucid shell May 4, 2022, 4:47 PM

#

Oh!

#Guillaume-client_secret