SSL and Stripe

What is SSL?

On the web, SSL tries to do two things:

  • Encrypt and verify the integrity of traffic between the browser and the server.
  • Verify that the browser is talking to the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it there's no guarantee that you're encrypting traffic to the right recipient.

Do I need to use SSL on my payment pages?

Yes, for a couple of reasons:

  • It's more secure. In particular, it significantly reduces your risk of being exposed to a man-in-the-middle attack.
  • Users correctly feel more comfortable sharing their payment information on pages visibly served over SSL. Your conversion rate is likely to be higher if your pages are served over SSL too.

How do I set up SSL?

Setting up SSL takes about half an hour, though it might take longer if it's your first time doing it. It typically costs between $10 and $500 depending on the certificate provider and type of certificate. Conceptually, the process is very straightforward — buy a certificate and configure your web-server to use it — but the details tend to be somewhat complex.

  • You should buy an SSL certificate from a good certificate provider. We recommend DigiCert — their certificates have very wide acceptance (and in particular should work well on mobile browsers, where many other certificate providers fall short). NameCheap is another good option. They have slightly lower acceptance but their basic certificates cost $10 to $20.
  • Unless you're frequently setting up SSL, it's pretty much impossible to remember all the steps and configuration directives involved. We recommend following the DigiCert or Slicehost guides.
  • If you have any questions at any stage of the process, feel free to get in touch — we're very happy to help.

What if I don't want to set up SSL yet?

  • You can test your page (including testing live transactions) before installing your SSL certificate; you don't need to do it at the very start.
  • If you want to go into production before setting up SSL, you could consider hosting your site with a provider that gives you a secure subdomain. For example, Heroku allows you to host at https://yourapp.heroku.com.

Does Stripe use SSL in the API?

Yes — we do our best to protect you from accidentally leaking credit card information over insecure connections:

  • Stripe.js is served only over SSL.
  • All of our official libraries connect to Stripe's servers over SSL and verify SSL certificates on each connection.
  • Your Stripe Dashboard is always served over SSL.
  • More information about Stripe's general security is available on our security page.

How can I test my SSL configuration?

SSL is a complex suite of cryptographic tools, and it's easy to miss a few details. We recommend using the
SSL Server Test by Qualys SSL Labs to make sure you have everything set up in a secure way.

Is there anything else related to SSL that I should think about?

  • It may be a security risk to include JavaScript from other sites. Your security becomes dependent on theirs — if they're ever compromised, an attacker may be able to execute arbitrary code on your page. In practice, most sites embed things like Google Analytics even on secure/sensitive pages [1], but it's something to be aware of, and ideally minimize.
  • For each of your pages, make sure all included resources (JavaScript, CSS, images etc.) are being served over SSL. Not doing this results in the infamous mixed content warning.
  • If you're using Stripe's Webhooks, it's worth having an SSL endpoint to avoid traffic being intercepted (card numbers are never sent with webhooks, though).

[1] http://www.daemonology.net/blog/2011-09-01-Iran-forged-the-wrong-SSL-certificate.html