I added the "Smart" payment buttons to my website. I followed this guide:
But it seems to me that there are some security issues:
- Anyone can see your client_id. Your competitors could use it to create fraudulent orders to hurt your business.
- If the order is created and captured on the client, users can easily spoof the order_id. For example, they could re-use one order_id to buy multiple items from different sites.
- The user can even call the actions.order.capture callback directly, without even having paypal account.
Do you have any tips how to make this more secure? Or shall I just let it go? Maybe it's just normal nowadays - let the "hackers" take what they want for free?