I am currently implementing Stripe in my project and I am facing a big doubt about the data I send to front-end. Is it secure if I send the payment_method_id for example to front-side or if I expose the subscription_id or invoice_id? Is there any way for someone to use these data to make malicious actions if they are exposed? I also have the doubt if I should save my data in my back-end database or making calls directly to Stripe if for example my front-end side makes a request to fetch all invoices in my back-end. I would really appreciate your opinion.
Asked
Active
Viewed 30 times
1 Answers
0
Object IDs (like those for PaymentMethods, Subscriptions, etc.) on their own are not sensitive. It makes sense to send these to your frontend to process payments (e.g. sending a PaymentIntent ID to your frontend to confirm a payment). What you want to avoid is making your secret key accessible, as this grants access to make any API request on your account: https://stripe.com/docs/keys#obtain-api-keys
It's safe to store invoice IDs and other object IDs in a backend database. Fetching all invoices might be easy to do in testing or when there are only a few invoices to retrieve. However, listing all invoices every time you need to find a specific invoice could become cumbersome to handle.
LauraT
- 604
- 1
- 6