Important Information

• In this HTML file, a merchantUniquePaymentId is generated automatically for User Acceptance Testing (UAT) purposes When moving to a production environment, it's important to replace this with a custom-generated unique ID to ensure each payment is distinctly identified.
• The generation of fingerprint is currently demonstrated within this HTML file for example purposes . The fingerprint , must be generated and hashed on the server side . This measure prevents exposure to the front end and potential interception by unauthorized parties.
• HTTPS Enforcement: Secure all web traffic by enforcing HTTPS with a minimum of TLS version 1.2 or above to encrypt data and protect against interception.
• API Rate Limiting: Introduce API rate limiting to curb excessive requests and adopt non-descriptive error messages
• Referrer Header Checks: Validate the HTTP referrer header server-side to ensure requests are originating from your site, especially for sensitive actions like checkout.
• CSRF Token Implementation: Implement a unique CSRF token for each user session within the checkout process. Generate this token server-side and embed it as a hidden field in the payment form. Upon the form's submission, the server will validate the token against the session , ensuring the request originates from the authenticated user's active session, thereby enhancing security against CSRF attacks.
• CAPTCHA Solutions: Incorporate CAPTCHA mechanisms, such as hCaptcha , Cloudflare Turnstile , or Google reCAPTCHA , to differentiate human users from automated bots. Validate the HTTP referrer header server-side to ensure requests are originating from your site, especially for sensitive actions like checkout.
• Adherence to OWASP Top Ten: Regularly consult and adhere to the OWASP Top Ten list of security risks to maintain awareness and defense against common web application vulnerabilities.