Hacker News new | ask | show | jobs
by tempaccount3333 1156 days ago
Unfortunately, the attacks are happening completely outside of my website. The attacker is generating a Stripe Checkout page using my public key - which I have rotated several times. Implementing a captcha on my end won't work and I have no control over blocking IP addresses.
2 comments
magundu 1156 days ago
Now more people know how to do the card testing.

There must be an option to allow stripe script only in specific domains and sub domains. All other domains should be blocked.

link
tehbeard 1156 days ago
Doesn't work as that kind of info is in the http headers sent by the client..
link
harg 1156 days ago
Are you sure this is how it’s being done? My understanding of stripe checkout is that you need the secret key to create a checkout session.
link