Security on demo version

Support
#1

Hi Snipcart,
just wanted to share a bit of feedback. Was recommended to you as I am working on a possible ecommerce solution. I had a quick look at your sample and note that when I register and logged in, the user data including email and the password is clear for all to see under XHR/Request Payload.

Snipcart
Snipcart712×199 19.5 KB

I haven’t tested any further at this point.
Let me know if you have any questions. This can of course simply be related to a demo version, but just thought I’d let you know as it doesn’t really inspire confidence.
Cheers,
Colin Brown

#2

Hi @cobr31,

Passwords are never encoded when a login or register payload is built. There is no point in encoding it frontend since the encryption key will be in the public source code. Here is an example of the stripe login call.

image
image900×704 52.2 KB

That being said, we do encrypt all the passwords before saving it to our database.

#3

Hi Lea,
Thanks for the response. Agree with you on keeping encryption resources at the Backend. For data being passed up to our own repositories I will look at an alternative approach to disguise the data before passing onto the XHR, certainly in the event of TLS version issues.