Is it secure enough to sent credit card information using HTTP POST on a encrypted SSL connection?

Question

The credit card info will be sent over to the server by the client to complete a purchase, through a mobile app. The server will host PHP scripts that have references to the Stripe REST API (Which will be used for payments). The data is sent through HTTP POST on a SSL connection. My question is that whether this method is secure? Will sending the data through HTTP headers make it more secure?

Answer 1

Stripe has a robust Javascript API that allows you to process data client-side (on the user's phone in your mobile app) and send it directly to Stripe without it ever touching your server.

The documentation for this API is at:

https://stripe.com/docs/stripe.js

They also have client-side APIs for other languages commonly used to write apps. See:

https://stripe.com/docs/checkout/tutorial

Answer 2

My question is that whether this method is secure?

If your question is about securing the transport of the information between client and server then it is secure enough provided you have properly implemented TLS with strong ciphers and certificates and proper certificate validation by the client app.

If you instead asking if this is secure in general then this question cannot be answered because the security of the data not only depends on the transport but on how you proceed with the data outside the TLS connection, i.e. if you store the data at the server or client app, if your site is vulnerable to SQL injection or similar and thus attackers can retrieve stored data etc.

You should also check with your payment provider if your are legally allowed to process the data this way.

Will sending the data through HTTP headers make it more secure?

No. It might even be worse since some HTTP headers are often stored in log files, thus exposing the information outside of the TLS connection.