Menu
I am just wondering if it is okay to make Stripe account id (for Connect) and customer id visible on browser. Is there any way that a person other than its holder misuses by obtaining the ids? (for example, moving earned money to their account or change the person's information as a method of attacking)
900
I think it's perfectly fine to expose stripe accountIds to the client. Like others have said, these ids are useless to an attacker unless the attacker gets your secret key.
Other answers argue that exposed ids + compromised secret make it easier for an attacker. That's true, but if the attacker has your secret, you're screwed anyway. It takes 1 GET request, to list all accountIds.
100
All sensitive information coming from the account id requires your Stripe Secret Key (or that of the account, for Connect accounts). That being said, if access to those keys is compromised, having the account ids readily available just makes it that much easier for an attacker.
With public keys, I'm not sure you can even add a card directly to a user. Just create the card tokens and what not.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
