[ookblah]

I don't get it, you have to generate the session server side before redirect so you can do all your checks there, from rate limiting, etc.

pass a nonce or something that you can check for before creating the redirect to make sure it's being generated from your own site.

[louwhopley]

There's a client-side only implementation of Stripe Checkout, which is what the OP might be using. [tutorial example](https://designcode.io/advanced-react-hooks-handbook-stripe-c...)

[ookblah]

that's probably a legacy version then. had a similar issue with the old checkout flow where card testers could just generate tokens using ur public key and feed it to whatever endpoint. they need to move to payment intents.