How to protect the order form from forgery?

A

AntonIgin2017-06-09 18:08:33

Django

AntonIgin, 2017-06-09 18:08:33

It makes no sense to add a digital signature to the form itself - an attacker can add his signature, and then send a request to the desired address with a signature compiled by him. That is, you need to somehow save the key in the view without displaying it to the user, and at the same time, you need to somehow send it in the form to Yandex.Money. Initially, the scheme is as follows: the order form sends data to Yandex, but it also sends the AJAX script to my view in order to register the order in advance. For what? So that later, when a notification arrives, check the amount, the recipient and, in fact, the digital signature.
What to do?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

airamkad, 2017-06-09
@airamkad

Read carefully the Yandex API. Requests for payment are signed and are already leaving with verification and so on.
What do you want to protect yourself from?
That the attacker will pay you (and he will pay anyway), but indicate his own address as the address?
This is the client's problem - it's not good to start so many viruses that it freely grazes in payment systems on behalf of the user. If he already has this, then there is no more money in Yandex.