Hi,
I added the "Smart" payment buttons to my website. I followed this guide:
https://developer.paypal.com/docs/checkout/integrate/
But it seems to me that there are some security issues:
- Anyone can see your client_id. Your competitors could use it to create fraudulent orders to hurt your business.
- If the order is created and captured on the client, users can easily spoof the order_id. For example, they could re-use one order_id to buy multiple items from different sites.
- The user can even call the actions.order.capture callback directly, without even having paypal account.
And this is not some hard core hacking. Anyone with beginner javascript skills can do this directly in a browser (just press F12 and you can directly edit the javascript code..)
Do you have any tips how to make this more secure? Or shall I just let it go? Maybe it's just normal nowadays - let the "hackers" take what they want for free?
