SSL/TLS and Stripe

What are SSL and TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are mechanisms for safely transmitting data. On the web, SSL and TLS try to do two things:

  • Encrypt and verify the integrity of traffic between the browser and the server.
  • Verify the browser is talking to the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it there's no guarantee that you're encrypting traffic to the right recipient.

The SSL protocol is both outdated and insecure, and has since been replaced by TLS. However, the term "SSL" continues to be colloquially used, referring to a general mechanism for protecting transmitted data.

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is the combination of SSL/TLS and HTTP to secure communications between the browser and the server.

What is a certificate?

A certificate is a file normally issued by a certification authority (CA). The certificate assures other web users that they're really communicating with the server they expect to be talking to, not an impostor. A certificate is needed in order to use SSL/TLS.

Do I need to use SSL/TLS on my payment pages?

Yes, for a couple of reasons:

  • It's more secure. In particular, it significantly reduces your risk of being exposed to a man-in-the-middle attack.
  • Users correctly feel more comfortable sharing their payment information on pages visibly served over HTTPS. Your conversion rate is likely to be higher if your pages are served over SSL/TLS, too.

How do I set up SSL/TLS?

Setting up SSL/TLS takes about half an hour, though it might take longer if it's your first time doing it. It typically costs between $10 and $500 depending on the certificate provider and type of certificate. Conceptually, the process is very straightforward—buy a certificate and configure your web server to use it, but the details tend to be somewhat complex.

  • You should buy an SSL/TLS certificate from a good certificate provider. We recommend DigiCert—their certificates have very wide acceptance (and in particular should work well on mobile browsers, where many other certificate providers fall short). NameCheap is another good option. Their certificates have slightly lower acceptance rates, but their basic certificates cost only $10 to $20.
  • Unless you're frequently setting up SSL/TLS, it's pretty much impossible to remember all the steps and configuration directives involved. We recommend following the DigiCert or Slicehost guides.
  • If you have any questions at any stage of the process, your server administrator or hosting company should be able to assist.

What if I don't want to set up SSL/TLS yet?

  • You can test your page--but not live transactions--before installing your SSL/TLS certificate. You don't need to enable HTTPS until you're ready to go live.
  • To test live transactions without your own SSL/TLS certificate, you could host your site with a provider that provides a secure subdomain. For example, Heroku allows you to host at

Does Stripe use SSL/TLS in the API?

Yes—we do our best to protect you from accidentally leaking credit card information over insecure connections:

  • Stripe.js is served only over TLS.
  • All of our official libraries connect to Stripe's servers over TLS and verify TLS certificates on each connection.
  • Your Dashboard is always served over TLS.
  • More information about Stripe's general security is available on our security page.

Due to the POODLE security hole, Stripe no longer uses the SSL protocol.

How can I test my SSL/TLS configuration?

SSL/TLS is a complex suite of cryptographic tools, and it's easy to miss a few details. We recommend using the
SSL Server Test by Qualys SSL Labs to make sure you have everything set up in a secure way.

Is there anything else related to SSL/TLS that I should think about?

  • It may be a security risk to include JavaScript from other sites. Your security becomes dependent on theirs; if they're ever compromised, an attacker may be able to execute arbitrary code on your page. In practice, most sites embed things like Google Analytics even on secure/sensitive pages [1], but it's something to be aware of, and ideally minimize.
  • For each of your pages, make sure all included resources (JavaScript, CSS, images etc.) are being served over SSL/TLS. Not doing this results in the infamous mixed content warning.
  • If you're using Stripe's webhooks, it's worth having an SSL/TLS endpoint to avoid traffic being intercepted (card numbers are never sent with webhooks, though).