在Cordova上使用Stripe Checkout的安全问题 [英] Security concerns with using Stripe checkout over Cordova
问题描述
我正在考虑将Stripe.js用于包装在Cordova中的移动网络应用程序中的付款处理。根据Stripe文档,所有结帐页面均应通过https提供。由于从技术上讲,Cordova将在Webview中本地提供这些页面,因此我应该担心任何安全问题吗?
I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?
注意:我仍将使用https将从Stripe提交令牌化的卡详细信息到我的远程API服务器,以实际完成费用。
Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.
推荐答案
我是Stripe的工程师。
I'm an engineer at Stripe.
Cordova / PhoneGap不是我们积极开发的平台支持Stripe.js,但在与团队讨论后,我们对缓解潜在漏洞有两个建议:
Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:
- 配置您的明智地域白名单,以限制其他脚本将付款数据恶意发送给不受信任的第三方的可能性。您只需要添加
https://api.stripe.com以支持与Stripe通信。 - 始终加载最新版本根据 Stripe.js文档从我们服务器上获取Stripe.js。这样可以确保您始终了解我们添加到Stripe.js的任何错误修正和补丁。
- Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add
https://api.stripe.comto support communicating with Stripe. - Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
除此之外,我相信您的浏览量与在浏览器中加载的普通网页中使用Stripe.js类似。
Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.
(我应该注意,我假设您正在使用Stripe.js而不是Stripe Checkout,后者需要将 https://checkout.stripe.com 域也添加到域白名单中。)
(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)
这篇关于在Cordova上使用Stripe Checkout的安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
