I am currently implementing Stripe in my project and I am facing a big doubt about the data I send to front-end. Is it secure if I send the payment_method_id for example to front-side or if I expose the subscription_id or invoice_id? Is there any way for someone to use these data to make malicious actions if they are exposed? I also have the doubt if I should save my data in my back-end database or making calls directly to Stripe if for example my front-end side makes a request to fetch all invoices in my back-end. I would really appreciate your opinion.
Stripe Data Security
63 Views Asked by john bowlee At
1
There are 1 best solutions below
Related Questions in STRIPE-PAYMENTS
- Stripe connect payout - throws exceptions
- Need some advice on differentiating between subscriptions using Stripe
- Stripe Pre-Checkout Timeout Error while making a Test Payment from Telegram Bot
- Prefill Stripe Shipping Address fields?
- Stripe subscriptions - When testing clocks, an automatic invoice with status paid is getting created on advancing time
- How to send Stripe session checkout parameters in subscription mode
- NextJS Stripe Question regarding multiple use cases of Elements
- flutter stripe_android:verifyReleaseResources'. > A failure occurred while executing com.android.build.gradle.tasks > Android resource linking failed
- Flutter Gpay previously working in production is not working now
- React Native App Crashes Unexpectedly in Build Mode when Accessing Stripe Payment Screen
- Best option to get read-only access to other Stripe accounts
- Stripe API issue in Ruby
- Stripe ACH Instant Account Validation without Financial Connections
- Stripe subscription auto cancellation after X months - Wordpress
- Retrieve multiple prices by price_ids array from stripe using laravel Cashier
Related Questions in BACKEND
- Why am I getting 'Method Not Allowed Error' in vercel
- Vite TypeError: Cannot read properties of undefined (reading 'VITE_YOUTUBE_API_KEY')
- Java and React WebSocket - Error Connection
- Should I compress images in java backend before sending to frontend?
- why static file handling in express js does not work for absolute path?
- connect ECONNREFUSED 43.205.72.30:27017 while connecting to Atlas
- Can you define a variable in ranges in java
- The "local" function in passport.authenticate is not being invoked for some reason
- CastError: Cast to ObjectId failed for value "{ _id: undefined }
- why we got same data type in two versions like "int" and "integer" in php?
- Nextjs - Push files to mongodb (hexoid is not a function - error)
- localhost refused to connect and now it wont even load
- How does a server handle multiple requests, and how does is know where to send which response?
- Spotify Auth access token givin error code 400
- Streaming multiple payloads through a response on swift Vapor 4
Related Questions in API-SECURITY
- Swashbuckle/Swagger UI - Adding security definition for APIkey
- API resource security with Asgardeo scope in Ballerina
- Client side securing token vulnerability circular dilemma
- Enhance the security of ASP.NET Core Web API unauthorized get endpoint
- How to perform validation before decoding the raw JSON?
- Multiple HTTPS security schemes for different endpoints in the same API?
- Managing remotely-generated API keys with Ansible
- Confirm API is called by known application
- Preventing to send requests from different devices
- Server / X-Powered-By headers not available in runtime
- How to protect my RESR Api calls in Flutter?
- SubscriptionKeyInvalid in Azure API Management for an endpoint in a product that does not require subscription?
- How to encrypt and decrypt all API trequest and response in SAP hybris?
- Stripe Data Security
- Should rest APIs with insensitive data be protected
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Object IDs (like those for PaymentMethods, Subscriptions, etc.) on their own are not sensitive. It makes sense to send these to your frontend to process payments (e.g. sending a PaymentIntent ID to your frontend to confirm a payment). What you want to avoid is making your secret key accessible, as this grants access to make any API request on your account: https://stripe.com/docs/keys#obtain-api-keys
It's safe to store invoice IDs and other object IDs in a backend database. Fetching all invoices might be easy to do in testing or when there are only a few invoices to retrieve. However, listing all invoices every time you need to find a specific invoice could become cumbersome to handle.