Nello
Reputation: 1755
Security issue: Storing Stripe Response Data
I was wondering is there any issue storing any data that is returned from stripe into a backend database. I was thinking of the charge id once the charge has been made.
- This is an example from Stripe api on create a charge.
Stripe\Charge JSON: {
"id": "ch_18FZX8CBgCsd1mBnmBbSzh4M",
"object": "charge",
"amount": 2000,
"amount_refunded": 0,
"application_fee": null,
"balance_transaction": "txn_18EXdtCBgCsd1mBn4RdsEaqI",
"captured": true,
"created": 1464311582,I was thinking of storing the id
"id": "ch_18FZX8CBgCsd1mBnmBbSzh4M"
Is this safe? Or is there a better way of doing it? Can users be permitted to see this charge id?
Upvotes: 2
Views: 193
Answers (1)
Matthew Arkin
Reputation: 4658
That information is really only valuable with your secret API key. And if an attacker gets your secret key, they can get all your past charges without knowing their ids anyway - the Stripe API has a list function to retrieve them all. The charge id alone can't be used for anything.
Upvotes: 3
Related Questions
- Best practice for storing Stripe payments in database?
- Stripe Connect with Multiple Destination Account Ids
- Stripe PHP charge::create response
- Stripe CLI Payment Intent Connect
- Charge a connected account using stripe
- Stripe charge issue with stripe payment
- Stripe create a customer and recurring charge in PHP