next-stripe icon indicating copy to clipboard operation
next-stripe copied to clipboard

Published 20 hours ago verified publisher icon ynnoj

Only pass through parameters that can safely be used on the client

Open thorsten-stripe opened this issue 4 years ago • 0 comments

Certain parameters should not be accessible on the client as they could be abused by a bad actor:

For Checkout session creation, do NOT allow usage of:

  • customer (see #15)
  • customer_email
  • line_items[].price_data (see #16)
  • line_items.amount
  • line_items.currency
  • payment_intent_data except for metadata
  • setup_intent_data except for metadata
  • subscription_data.application_fee_percent
  • subscription_data.trial_end
  • subscription_data.trial_period_days

For PaymentIntent creation, do NOT allow usage of:

  • amount
  • customer
  • application_fee_amount
  • transfer_data
  • transfer_group

thorsten-stripe avatar Jan 29 '21 17:01 thorsten-stripe