Reputation: 4429
What is the most secure way to implement Stripe in a Node application which the user can add the publishable and secret in a settings panel
Requirement: The nodejs (Sails) application needs an interface (settings page) so the user can add both publishable and secret keys after they have created their account on Stripe.
My thoughts on how to do it: Have a settings page and once the user enters both keys, the application will write the secret key to a file. The controller that requires the secret key will then load the file and use it.
For the publishable key, once the user adds it in the settings page, the application saves it to the db, and on my html file I can query the db via ajax call and retrieve the publishable key and assign it to a js variable.
My question: is this good practice in terms of security?
Any suggestions on how to improve it?
Many thanks
Upvotes: 1
Views: 535
Answers (1)
Reputation: 1021
Is this a hosted application? If so, you can use Stripe Connect to get keys specific to your application. They never have to share anything with you, they just go through the OAuth flow and at the end you have a publishable key and a secret key that you can use to make charges on their behalf.
If this is an installable application I would encourage you to keep both keys in environment variables instead of the database or files.
Upvotes: 1
Related Questions
- is it possible to do stripe card payment totally from the backend using nodejs?
- How to use Stripe's secret key and publishable key?
- Stripe metered billing approach
- Stripe Connect - How do I use tokens in the most secure fashion to pass sensitive data?
- Node.js - Stripe issued card
- How can I save billing information and credit card information in a safe way?
- How to implement stripe idempotency key
- How do I implement a customer wallet with Node.js and Stripe or Braintree
- How to integrate Stripe Connect with Node.js?
- Using stripe with Node