Swedbank-SPP
commented
6 years ago Thank you for your comment. You are right we need to make more clear security part. We now preparing update.
Closed lkallas closed 6 years ago
Swedbank-SPP
commented
6 years ago Thank you for your comment. You are right we need to make more clear security part. We now preparing update.
Swedbank-SPP
commented
6 years ago Added 278c431fb12c7127d07907f7c4e2b46bc78f0121
The SPP documentation does not state that the developer has to take any security measures into account when implementing UrlCallbacks.
Let's say a hacker is eavesdropping traffic between merchant's e-shop <-> SPP and get's the information about orderId and UrlCallback URL. So marking the payment to SUCCESS in merchant's system is a matter of one HTTP POST request.
One way to increase security would be to pass a signature with each UrlCallback URL so that the signature check mechanism is only known to the merchant.
I suggest you to update the SPP documentation's security section.