top | item 35683451

(no title)

imtu80 | 2 years ago

Most of the time these testing card attacks are automated. If so, You can implement code and use Stripe element. Additionally, add logic if you get request from same IP in, let say 5 per within 1 minutes then block them for 15 minutes or so. Add Captcha and use CloudFlare to block IP ranges.

discuss

tempaccount3333|2 years ago

Unfortunately, the attacks are happening completely outside of my website. The attacker is generating a Stripe Checkout page using my public key - which I have rotated several times. Implementing a captcha on my end won't work and I have no control over blocking IP addresses.

magundu|2 years ago

Now more people know how to do the card testing.

There must be an option to allow stripe script only in specific domains and sub domains. All other domains should be blocked.

harg|2 years ago

Are you sure this is how it’s being done? My understanding of stripe checkout is that you need the secret key to create a checkout session.