Since we launched Stripe just under a year ago, by far the most frequent piece of feedback we received was: Stripe is great, but you need to make it possible for people outside the US to accept payments.

Starting today, Stripe is publicly available for use by any individual or business based in Canada. It’s the exact same Stripe that we offer in the US: instant approval, all major card types accepted, the ability to accept payments from anyone in any country, and simple, flat pricing, without monthly fees.

We’ve been testing our service in Canada over the summer. We’re grateful to have received extensive feedback and help from companies including Tarsnap, MetaLab, and Shopify, all of whom have now been using Stripe for a few months. To them and our other beta users: a huge thank you.

In many ways, launching in Canada is a big step for us—going from 1 to 2 is often harder than going from 2 to n—but it’s only a small piece of what we have in mind. We grew up in countries from Honduras to Kenya, and a large part of why we’re so eager to build Stripe is to help those outside the US to participate as first-class citizens in the internet economy.

And so, to those who are not in the US or Canada: we want Stripe to support businesses and individuals anywhere in the world, and the “international” project we kicked off over a year ago won’t be finished until that’s the case. We’re already working on the next set of countries.

To our friends up north: we’re very excited to see what you create.

Start accepting payments instantly. Get Started with Stripe

Building a business isn't a solo affair, and so today we’re launching support for inviting your whole team to Stripe. Now, everyone can have their own login credentials to a shared Stripe account.

Since our launch, having multiple logins for your Stripe account has been one of our most requested features, and we're excited to finally make this available.

In your account settings you'll find a new team settings tab. From here you can invite new users to your Stripe account, remove existing users, and even change your team members' permissions. That's right, your new users also come with their very own set of permissions. This means you can invite your support team without giving them access to your banking details, or your accountant without letting them refund your payments.

There are three permission levels:

• Administrator gives you access to everything. You can see API keys, change settings, invite new users, etc. All existing Stripe users are now administrators of their Stripe accounts.

• Read & Write lets you edit and create data, but account settings are strictly off limits. You can refund a payment, or make a new one, but you can't change the bank account or access API keys.

• Read Only users can only read things. They can't refund payments or create new customers, and they definitely can't touch account settings. They can view and search through all the customer data in your account.

We think this makes using Stripe even more flexible than before, and we hope you agree. As always, we'd love to hear your thoughts on this feature and the rest of your Stripe experience, so please get in touch!

We've just launched several new features that'll make working with subscriptions even easier:

We recently shipped a new version of Stripe.js, the JavaScript library behind pretty much every Stripe transaction. The library is in charge of taking credit card data, submitting it to Stripe’s servers and then returning a token which can be charged. This rewrite of Stripe.js comes with a bunch of new improvements, and all existing Stripe.js users have been automatically upgraded behind the scenes.

Stripe.js’s history is an interesting example of how the web works in practice: technologies being repurposed for unexpected use-cases. I thought it’d be interesting to illustrate how this played out.

iframe

Initially, when we were building Stripe.js, we implemented network calls using iframes. Iframes were, of course, never intended for use with cross-domain requests. However, HTML5 added support for postMessage, which enables two cooperating pages to communicate. This isn't quite enough, though—IE6, as usual, doesn’t support postMessage. It turns out that you can still make the iframe hack work by using a non-obvious shared channel: the iframe’s src property—and, in particular, the anchor fragment.

This is what the first version of Stripe.js did. What it lacked in elegance it made up for in compatibility. Still, it meant that we had to serve our iframe code from api.stripe.com, which was somewhat inelegant. The underlying code was hacky and awkward to maintain.

CORS

The standards of the web progress slowly, but they do progress. Back in 2005, a couple of people from Tellme Networks wrote a W3C working group note with the catchy title of Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0, which introduced a concept of access control declarations to XML and HTTP. This went through a few versions over the years (by 2007, it was Access Control for Cross-site Requests). Today, this has become CORS, or Cross-Origin Resource Sharing.

Supporting CORS is pretty simple—a matter of adding a few HTTP headers. Browsers will automatically prefix Ajax requests to third party servers with a OPTIONS request, verify that the CORS headers are present and valid, and then send the actual request.

CORS has begun to achieve widespread adoption: most major browsers now support it, Amazon just added CORS support to S3, and YouTube turned it on a few months ago.

With the rise of JavaScript applications, it’s clear that all APIs should now support CORS: if you’re providing an HTTP API, it’d be strange not to support the primary language of the web. As such, we’ve recently enabled CORS support in Stripe’s API, and anyone can now make cross-origin requests to Stripe.

Unfortunately, that’s not quite enough for Stripe.js. IE6 and IE7 both lack CORS support, while IE8 and IE9 have broken implementations. IE10 is the only version with a non-buggy CORS implementation. Obviously, compatibility is paramount for Stripe.js — we want to support all major browsers, right down to IE6—and so we needed to look elsewhere.

JSONP

And so we return to using web technologies in unintended ways: JSONP. JSONP is a really neat and simple hack, and works in pretty much every browser under the sun. It involves creating a <script> tag that loads an API endpoint, and which in turn returns some JSON wrapped in a function call.

We decided to use JSONP for the Stripe.js rewrite. Adding support to our API took a few steps. First, we had to ensure that any responses to requests with callback query parameters were wrapped in a JSONP callback. Next, we had to make sure that JSONP responses always returned a 200 HTTP status code, with the real status code present in the response body. Lastly, since JSONP only supports GET requests, but our API uses a variety of request methods, we had to implement HTTP method override support with a _method query parameter. Rather than clutter our API code, we implemented all of this as middleware atop the API logic itself.

With this in place, we rewrote the Stripe.js client library in CoffeeScript, and conducted a huge amount of testing in every browser we support.

Advantages

So, at the end of the day, what are the advantages of this new release?

First off, Stripe.js is now about half its previous size, which saves time and bandwidth for our users. It now works when loaded with file:// URLs, which was a frequent complaint of those hosting development locally.

On the Stripe end, we were able to eliminate a lot of complexity and code required to support iframe tunneling. All in all, a pretty good refactor.

The last flag has been captured, and the final tallies are in. Over 16,000 people from around the world participated in Capture the Flag 2.0 during its week-long run, and it's been a blast exploring web application security with all of you.

Unique IP Addresses

This time we knew we had to prepare for high demand, so we worked to build more powerful infrastructure, bringing in our expertise from making Stripe itself scalable, reliable, and fast. There are some interesting challenges in building applications geared for thousands of people to simultaneously break in, and Greg wrote about the details of our architecture on his personal blog.

In case you didn't get a chance to try them all, I've published the source code to each of the levels and the slides from our talk at the meetup. Many great walkthroughs have been posted online, including a number from individuals and two from the security firms IOActive and Trustwave.

Average Time per Level

We wanted to make the challenges accessible to both seasoned security veterans and relative newcomers, so we tried to order them by increasing difficulty. Judging by the steadily climbing amount of time people spent on each level, it looks like we did all right. By all accounts, everyone had a lot of fun, and we hope you found it more enlightening than frustrating.

Wondering how to solve the Capture the Flag 2.0 levels? Want to meet your fellow CTF solvers in person? This Thursday, we're hosting a meetup for the CTF challenge.

The CTF organizers will present on the motivation and solutions for all nine levels. Beer and snacks are on us, and people of any technical skill level are welcome. This is a 21+ only event.

Today we're launching Capture the Flag: Web Edition, a security contest where you can try your hand at discovering and exploiting vulnerabilities in mock web applications. If you've ever wondered how a CSRF attack works in practice, this is your chance to find out. We've found that hands-on experience with exploiting security flaws helps us write more secure code, and we hope that working on the CTF will be both enlightening and fun.

To get started, simply create an account. You'll be set up with a series of levels; your goal for each level is to extract a password to unlock the next one. If you successfully complete all levels, we'll send you a special-edition Stripe Web CTF T-shirt, designed just for this contest. You can keep tabs on how you're doing relative to others on the Capture the Flag leaderboard.

If you're not sure where to start, the Open Web Application Security Project and Google Browser Security Handbook are great resources. You can also chat with fellow solvers in the CTF chatroom (also accessible in your favorite IRC client at irc://irc.stripe.com:+6697/ctf).

If you have any questions, feel free to get in touch at ctf@stripe.com. Enjoy the challenge!

While it's easy to read about web-based vulnerabilities like XSS and SQL injection, it's often difficult to find a hands-on environment to interact with and fully exploit these vulnerabilities. Given the number of security flaws found on the web every day, we've found it very useful to have practical experience with how attackers find and exploit vulnerabilities.

To address this need, we ran a Capture the Flag security challenge earlier this year. We were blown away by the response: people logged in from over 12,000 unique IP addresses, and 250 participants captured the flag.

Next week, we will be hosting our second Capture the Flag contest. Unlike the one we ran in February, which focused on low-level vulnerabilities such as buffer overflows, this CTF will be dedicated to web-based vulnerabilities and exploits. It'll be open to anyone who's interested in trying their hand at exploiting our levels. If you capture the flag, we'll send you a special-edition Stripe CTF t-shirt.

We hope that the next week will give you time to begin familiarizing yourself with the world of web security, and maybe find a team to work with. The levels will use a variety of web languages, such as JavaScript, PHP, Python, and Ruby. If you'd like to do some reading in advance, the Open Web Application Security Project and Google Browser Security Handbook are great places to start.

Check back here in a week to Capture the Flag!

Come to Stripe this weekend for a day of hacking and self-realization. Hack on a project, meet other coders, hang out, or just work on eating the food.

This hackathon will be pretty informal. Stripe provides the space and the food, and there will be plenty of Stripe engineers around for the day. You provide the project, or start one with other coders who are attending. Your goal for the day should be to walk away having built something cool. Past hackathon projects have ranged from building a simple PHP website to adding a new feature to Git to assembling a 3-D printer.

Beginners welcome!

RSVP via our Meetup event. Hope to see you there!

We've been pushing out a lot of smaller updates at Stripe, and I'd like to quickly go over a few changes we've made in the past couple of weeks.

I hope these updates make a lot of your lives easier. And, as always, keep the feedback coming on what you'd like to see!