Is embedding stripe form to a website secure?

  • Profile Image
    Asked on June 13, 2016 at 12:29 PM
  • Profile Image
    Answered on June 13, 2016 at 01:41 PM

    Could you please tell us a bit more details in regards to your question?

    Once we know more we would be happy to assist with the same.

  • Profile Image
    Answered on June 13, 2016 at 01:45 PM
    Hi Ben:
    I didn't mean to open a ticket, I was trying to search your Knowledgebase
    for something that showed whether an embedded form that included a Stripe
    transaction was secure on that page.
    - T.
  • Profile Image
    Answered on June 13, 2016 at 02:17 PM

    Oh OK, not sure how it became the ticket then :)

    If you do not mind, I could still reply back to you on that :)

    This would depend on the point of view and in general, the only way for it to be considered as truly secure, would be if the page you are embedding it on is opened on HTTPS.

    If it is opened over HTTP - non secure protocol, the Stripe calls would still be made over HTTPS, however this would not offer a complete security and while you might read somewhere that it is enough, you will find others that say that it is not.

    If you are opening a website over wifi, that would not be seen as secure (embedding form on HTTP website) since some data could be read and some other data could be changed easily along the way.

    If you are opening a website (over HTTP) with embedding that calls for Stripe over your wired broadband connection and you are sure that there are no people listening (while the same applies as for wifi) you could say that it is secure.

    In fact, the HTTP website is secure as long as someone is not listening in in any way.

    As a rule of thumb, HTTPS is always better than HTTP.

    To make a summary:

    1. embedding a form to website accessed over HTTPS - great and safe - feel free to do it

    2. embedding a form to website accessed over HTTP - not as safe, however people are doing it and some part of the data is still being sent in a safe manner (the one going to Stripe), however it would be possible to implement 'a listener' to the rest of the page.

    * methods here do not play much of a difference, the protocol does

    Hope this helps :)