We have just received an email from stripe informing us that our secret key is visible in one of the presentation page of one of our sellers.
After researching, we were unable to find this key in the page mentioned.
Has this bug already been reported?
Here is the link sent by stripe: Annonces de test – wattyouneed
For your information, we have changed the secret key for security reasons and replaced it with: sk_live_secretkeystriperesearched for the moment
Please clarify if this is related to the Stripe Connect key or the Stripe key for accepting payments (set up in WooCommerce/Settings/Payments)? This may be related to WooCommerce because we use the provided Stripe Connect key for back-end requests only, it can’t be rendered in the front-end HTML source code of the website.
Sorry but stripe didn’t mention it in his email. They just explained us that the secret key of our stripe comtpe is visible on the page mentioned above.
They do state, however, that “Access to these keys allows anyone to access the Stripe API, including issuing discounts and refunds to your account, viewing customer data, deleting customers, and viewing your Stripe balance.”
Please make sure that you set the Stripe Connect API key strictly in HivePress/Settings/Integrations/Stripe and not anywhere else, e.g. this issue may occur if you accidentally copied this key to reCaptcha or Google Maps section, because reCaptcha and Google Maps indeed include their keys on the front-end.
This issue may be also related to WooCommerce, e.g. if you use the same key for accepting payments in WooCommerce/Settings/Payments, and for payouts (Stripe Connect) in HivePress/Settings/Integrations/Stripe, these should be separate keys if I remember correctly.
We have checked and everything is configured normally,
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.