How We Handle Security at SnipcartSeptember 25, 2014
Hey, if I change the merchant’s product markup using my browser developer tools, I can change the price... I could pay a penny for a product that is worth 100$.
Truth be told, we’ve read variants of that one a few times already. And every time, we replied the same thing: Good point, but nope, you can’t.
Why? Because we’re smart too.
We don’t want ill-intentioned webtronauts messing around with Snipcart merchants’ prices or quantity, no. So, yeah, we took care of it. How? Just give us a sec, we’ll get there.
Some other form of feedback popped up quite a few times on our radar lately. It went something like this:
Hey, clicking on the Powered by Snipcart link in your cart redirects the user to your home page, which has nothing to do with security. You should do something about that.
Every time, we replied the same thing: Yup, you’re right. We’re on it.
Since the new custom security page is now enabled for our merchants, we thought we’d write this little post before to walk you through how exactly we handle security at Snipcart. Shall we?
We assure HTTPS/SSL protection for all of our merchants
We’ve been asked the question a few times:
While we always strongly advise people to get one, the real answer to that question is: No, you don’t. But you really should. We’re nice guys here at Snipcart, so we make sure all of your communications pass through HTTPS/SSL encryption even if there’s no green lock pad next to your URL. Still, most Internet users have kind of gotten used to trusting that symbol, so you should definitely seek a certificate for yourself (we think a couple bucks is a fair price to pay for a decent amount of trust). You wouldn’t want a customer to run away from your awesome products because of such a little detail, right? Also, having a SSL certificate protects you from certain man-in-the-middle attacks.
We crawl back and cross-check every transaction info
Remember that clever intervention at the top of this post? The “I think I find a way to bypass your security” one? The assumption here is that altering the HTML information on a web page could basically allow one evil individual to pay a dollar for a top-quality product worth hundreds. Of course, we made sure such a thing couldn’t happen: we crawl back every transaction to make sure no product information’s been altered before we process the payment. So doing such a trick would only result in the impossibility to complete the actual transaction.
We offer PCI compliant hosting
Most e-commerce solutions have been throwing around those three letters for a while already: P-C-I. This security standard for organizations who handle consumer payment cards sure has a positive impact on the trust of many merchants. Well, Snipcart is hosted with PCI compliance specifications. If you’re using Stripe, Pin Payments or Paymill, we don’t even receive credit card numbers on our servers.
This is pretty much how we handle security at Snipcart. Hopefully, future users will stumble upon this post before sending us another variant of the first quoted remark. And if they don’t, well, it’s all right: now our support’s got a direct link for replying to security inquiries :)
Not convinced? Got tips, objections? Let us know what you think about how we manage security in the comments. We’re all ears, as usual!