Currently encountering a problem, in doing a can buy things an e-commerce app, on the security of order generation, want to consult with experienced friends.
The process of the app is like this (no shopping cart concept), on the product page, click Buy directly, then fill in the relevant information of the individual, submit the generated order. My current idea is this: the app clicks on the purchase, calls the server, gets the order token, and then brings the token when the order is submitted. Whether the order is generated depends on whether the token in the form matches the token stored on the server, and the OAuth encryption on the URL of the order (the server and the app have contracted a key to encrypt). Please publish your own ideas, think broadly. Thank you.
Reply content:
Currently encountering a problem, in doing a can buy things an e-commerce app, on the security of order generation, want to consult with experienced friends.
The process of the app is like this (no shopping cart concept), on the product page, click Buy directly, then fill in the relevant information of the individual, submit the generated order. My current idea is this: the app clicks on the purchase, calls the server, gets the order token, and then brings the token when the order is submitted. Whether the order is generated depends on whether the token in the form matches the token stored on the server, and the OAuth encryption on the URL of the order (the server and the app have contracted a key to encrypt). Please publish your own ideas, think broadly. Thank you.
With post submission, HTTPS can be used conditionally.
The total price must be calculated on the server, detection classification, commodity and related fields exist, you can also use symmetric encryption to encrypt the transmitted data.
First think about what you want to be safe.
Transport Security--https
Correct content-server-side validation
Do not duplicate commits--add tokens to the process, guaranteed to be used by the server at most once
can refer to the payment of the unified next single interface, there is a detailed order creation process, the individual feel very safe, the order before the creation of the token, and then together and the parameters are encrypted and passed to the server to create the order