Stripe Security Concern on Django
Is there a security issue created by having the clientSecret of Stripe's PaymentIntent API stored in plaintext in the client-side HTML? I'm new to web development and integrated Stripe's PaymentIntent API by following this tutorial: https://stripe.com/docs/payments/accept-a-payment. Unfortunately, they didn't have a guide that was Django specific. The guide was for flask. I did my best improvisation, but I didn't want to go through the trouble of making a specific endpoint for passing PaymentIntent's clientsecret. Instead, I defined a clientSecret variable that I store in plaintext on the client-side via {{ clientsecret}}. To provide some background, I'm using Django 3.0 with django-oscar 2 and python 3.6.
The Stripe guide states, "The client secret should still be handled carefully because it can complete the charge. Do not log it, embed it in URLs, or expose it to anyone but the customer." I don't believe I'm doing this, but I'm afraid that by defining it as a variable that the webpage is given by Django, there is some sort of logging. I'm using https so I believe there are some boundaries against the contents of the webpage being exposed, and it's definitely not exposed in the URL itself.
Let me know what you guys think, not trying to lose someone's money!
If you click "server-side rendering" in the Stripe tutorial, it looks like their Python example does exactly what you're talking about. They just store {{ client_secret }} in an attribute of a <button> element.
- Django CSRF Cookie Not Set
- Display encoded video frames using React and Django
- Exception Value:failed to find libmagic. Check your installation in windows 7
- Why isn't a nested-dot lookup evaluating in this Django template?
- Updating quantity in javascript
- Django one of 2 fields must not be null
- Django form field label translations
- Django form: what is the best way to modify posted data before validating?
- Django RestFramework make lookup_field accept special characters (".")
- creating a category system with MVT in django
- CSRF Failed: Origin checking failed - http://localhost:8000/ does not match any trusted origins
- How to save data into two related tables in Django?
- Django ModelDiffMixin: Maximum recursion depth exceeded
- Reverse Serializing Many to Many Relations Causes RecursionError
- django.db.utils.ProgrammingError: column "role" of relation "APP_profile" does not exist
- How can I enable CORS on Django REST Framework
- Display JavaScript Fetch for JsonResponse 2 Tables on HTML
- Django table reduce text when larger then cell size
- Get Image Field Absolute Path in Django Rest Framework - Non Request Flows
- Use JSON data in Django fields
- Why isn't my form data inserted into the database?
- Custom 404 and 500 pages in django with -> DEBUG = True
- If only CI fails, what kind of trouble could there be for django?
- In Django CI, githubactions try to another database for testing
- How to arbitrarily nest some data in a django rest framework serializer
- Submit button doesn't refresh page and send POST request
- selenium: Max retries exceeded with url
- Getting Django admin url for an object
- How can I annotate my Django queryset with a count of related objects
- Change ModelSerializer field key with function