Stripe Checkout Security - Hidden fields a security issue?

I have been looking into integrate stripe into Wappler.
I am trying to keep it 100% Wappler (other than the JS scripts needed provided on the stripe website) so no PHP coded CURL requests etc, just Server Side API calls

Been a bit of a process but I seem to have got things working

The process I am using is that the checkout generates the stipeToken which is passed to a server connect action which then passes the token to Stripe via an API call.
The data returned is then inserted into a database table

That part woks surprisingly well

Ironically the most problematic part of the process has been passing variable checkout totals from he checkout (via Stripe Elements) to the server action
I have it working using a hidden field within the checkout such as

<input type="hidden" name="PaymentAmount" class="form-control mb-3 StripeElement StripeElement--empty" placeholder="Amount" dmx-bind:value="555"

which passes £5.55 to the checkout

I know the stripe checkout submits via javascript and works differently to a standard form submission but my questions are:

Do you think using a hidden text field to pass the checkout total is a security risk?

Does anyone know a better way of passing the checkout total so it can be collected by a server action as a POST value?

Community Page
Last updated: