I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?
我正在研究使用Stripe.js在Cordova中包含的移动Web应用程序中进行支付处理。根据Stripe文档,所有结帐页面都应通过https提供。由于Cordova在技术上将在webview中本地提供这些页面,我是否应该担心任何安全问题?
Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.
注意:我仍然会使用https将Stripe中的标记化卡详细信息提交到我的远程API服务器以实际完成收费。
2 个解决方案
#1
28
I'm an engineer at Stripe.
我是Stripe的工程师。
Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:
Cordova / PhoneGap不是我们积极支持Stripe.js的平台,但在与团队讨论之后,我们就如何减轻潜在漏洞提出了两点建议:
- Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add
https://api.stripe.com
to support communicating with Stripe. - 明智地配置域白名单,以限制其他脚本恶意将付款数据发送给不受信任的第三方的可能性。您只需添加https://api.stripe.com即可支持与Stripe通信。
- Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
- 始终根据Stripe.js文档从我们的服务器加载最新版本的Stripe.js。这将确保您始终了解我们添加到Stripe.js的任何错误修正和补丁
Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.
除此之外,我相信您的曝光类似于在浏览器中加载的普通网页中使用Stripe.js。
(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com
domain to be added to the domain whitelist, as well.)
(我应该注意,我假设您使用的是Stripe.js而不是Stripe Checkout - 后者需要将https://checkout.stripe.com域添加到域白名单中。)
#2
1
I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).
我在类似的问题中发布了与此相关的答案。如果您控制自定义API,请为其提供https保护,并将整个结帐表单向下发送到iframe(设置为API端点的源)。
Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!
然后使用像Cordova-HTTP这样的插件进行SSL固定,你应该更安全!
Original answer: Implement Stripe Payment Gateway in Cordova/Phonegap Application
原始答案:在Cordova / Phonegap应用程序中实施Stripe Payment Gateway
#1
28
I'm an engineer at Stripe.
我是Stripe的工程师。
Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:
Cordova / PhoneGap不是我们积极支持Stripe.js的平台,但在与团队讨论之后,我们就如何减轻潜在漏洞提出了两点建议:
- Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add
https://api.stripe.com
to support communicating with Stripe. - 明智地配置域白名单,以限制其他脚本恶意将付款数据发送给不受信任的第三方的可能性。您只需添加https://api.stripe.com即可支持与Stripe通信。
- Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
- 始终根据Stripe.js文档从我们的服务器加载最新版本的Stripe.js。这将确保您始终了解我们添加到Stripe.js的任何错误修正和补丁
Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.
除此之外,我相信您的曝光类似于在浏览器中加载的普通网页中使用Stripe.js。
(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com
domain to be added to the domain whitelist, as well.)
(我应该注意,我假设您使用的是Stripe.js而不是Stripe Checkout - 后者需要将https://checkout.stripe.com域添加到域白名单中。)
#2
1
I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).
我在类似的问题中发布了与此相关的答案。如果您控制自定义API,请为其提供https保护,并将整个结帐表单向下发送到iframe(设置为API端点的源)。
Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!
然后使用像Cordova-HTTP这样的插件进行SSL固定,你应该更安全!
Original answer: Implement Stripe Payment Gateway in Cordova/Phonegap Application
原始答案:在Cordova / Phonegap应用程序中实施Stripe Payment Gateway