You are viewing a single comment's thread from:

RE: Introducing SC2 Pay - A SteemConnect Add-On for Seamless STEEM/SBD Payments

in #utopian-io7 years ago

This is great! I love seeing stuff like this happen.

One thing we do with FoxyCart which you may want to consider is HMAC encryption on the payment links. That ensures what was pushed out by the application via JavaScript / HTML comes back to the server as expected. You can find out more about what we do here.

Sort:  

Hey @lukestokes - thank you for your feedback! What I've implemented here is only a client-side library, so unless i'm missing something I think the HMAC encryption would be done on the server-side.

I definitely agree that all links and payment-related information should be signed/encrypted as you mentioned so that all of the information can be validated. If / when I add any server-side components to this project I will definitely include that and probably use your docs for some help!

Please let me know if i'm misunderstanding what you're suggesting though!

That sounds perfect! The challenge with purely client side tools is you can’t store any secrets. What we also do is provide a server side signing form so links can be signed and then used on static sites. A toolset like that (along with server side validation code) could be really helpful so the signed links secure what’s on the front end and the backend validates them as well.