[whitehat2k9]

Prompting users to enter payment information over unsecured HTTP...smart.

[r1ch]

Seriously! It's 2016, unless you rely on 3rd party resources that don't support HTTPS there's no reason why your site shouldn't be HTTPS only. Certificates are free and there's negligible performance overhead with modern CPUs.

[lol768]

Looks like it does support HTTPS but there's no redirect & HSTS in place to force use of the secure site which is odd.

[daw___]

Yep, although the form posts to a secure URL: https://api.stripe.com/v1/tokens

[Gurrewe]

Doesn't make it better tough, a MITM could change the action URL of the form.

[jgalt212]

MITM requires a man in the middle. For the most part, a state level adversary is required for a generalized MITM attack.

[megabytemike]

Come join my wifi network at the coffee shop :-D

[jgalt212]

Yes, but that's not a general MITM attack as the NSA has pulled off. Only the folks at that particular coffee shop are placed at risk from this particular adversary.

[staticfish]

not if it's pinned at the web app level.

[tyre]

Again, MITM.

If you mean the front-end web (JS) app, MITM the request from the server to the client browser and replace the hardcoded submission url in the JS.

[staticfish]

Not really. I used Play Framework which is also its own webserver. SSL is at both the app and webserver level.

[ryanbertrand]

Usually Stripe throws warnings into the console for using their JS lib while on a HTTP site.

[ataylor32]

See http://www.troyhunt.com/2013/05/your-login-form-posts-to-htt...