Accepting payment in Electron with Stripe? (security)


#1

Hey guys I’m building an electron app with free/premium model, and would like to be able to accept payments in app using Stripe. I’ve run into something tricky though, and was hoping someone out there might be able to shed some light on it:

I want to use Stripe Elements to build the payment form, and found this in the requirements

"All submissions of payment info using Elements are made via a secure HTTPS connection. However, to protect yourself from certain forms of man-in-the-middle attacks, and to prevent your customers from seeing Mixed Content warnings in modern browsers, you must serve the page containing the payment form over HTTPS as well.

In short, the address of the page containing Elements must start with https:// rather than just http://.

Question: Is there a secure way for me to display the payment form in electron? Since it’s technically not being served over https as per the requirement?

I understand that I have to have an SSL certificate on my server that the electron app is going to send the payment request to. The part I’m confused about is how to securely host the payment form in the electron app in the first place (before any sending to servers), and have it meet the secure HTTPS requirement above.

Do you guys know how this could be done?


#2

I have not used Stripe … but I would try this (I use heroku for experiments) …

Create an account in heroku
Create a free heroku dyno for nodejs
Try this demo to gain experience …

https://elements.heroku.com/buttons/stripe/stripe-payments-demo


#3

I think the best option is to just have the payment form on your web server, then have Electron redirect the user to your web page in order to make the payment. You don’t need it to function offline, since that would be impossible anyway, and if the form exists in the unencrypted, uncompiled JavaScript code that makes up your Electron app, that makes it more vulnerable to a bad actor who might decide to go in and recode it to direct to their server, hijacking your user’s payment information.