[imtu80]

Most of the time these testing card attacks are automated. If so, You can implement code and use Stripe element. Additionally, add logic if you get request from same IP in, let say 5 per within 1 minutes then block them for 15 minutes or so. Add Captcha and use CloudFlare to block IP ranges.

[tempaccount3333]

Unfortunately, the attacks are happening completely outside of my website. The attacker is generating a Stripe Checkout page using my public key - which I have rotated several times. Implementing a captcha on my end won't work and I have no control over blocking IP addresses.

[magundu]

Now more people know how to do the card testing.

There must be an option to allow stripe script only in specific domains and sub domains. All other domains should be blocked.

[tehbeard]

Doesn't work as that kind of info is in the http headers sent by the client..

[harg]

Are you sure this is how it’s being done? My understanding of stripe checkout is that you need the secret key to create a checkout session.