What are some best practices regarding security?

When you design web-based applications that interact with PayPal, you need to make them as secure as possible. We have some tips for doing just that.


First, secure your server. Always host your application on an SSL-enabled web server. Set up an SSL certificate for your web server so you can provide HTTPS (SSL webpages) as opposed to HTTP (non-SSL webpages). HTTPS protects data transmitted between client and server from eavesdropping, and confirms that the client is interacting with the right server. By hosting your application on an SSL-enabled server, you’ll also make shoppers feel safer and more secure and more likely to make a purchase. Savvy consumers know that they should only enter personal data onto a secure HTTPS page.
  • To get an SSL certificate, just search the internet for “SSL certificate” - there are many different providers to choose from.
  • If you're hosting with a third-party company, you can ask your hosting company for an SSL certificate. Usually they can set it up for you.

Once your server is secured with an SSL certificate, you can implement the following best practices as you work with the PayPal technologies.

Website Payments Standard
Make sure your return and cancel_return URLs are HTTPS URLs. This will prevent some buyers from seeing browser warning messages, depending on the individual buyer’s browser configuration. These messages essentially state that the user is leaving a secure site (PayPal) and going to a non-secure site (merchant’s site).

You should also use HTTPS URLs with Express Checkout, via SetExpressCheckout() parameters ReturnURL and CancelURL; and with image URLs you host but embed via code parameters on PayPal pages (for example, header images for Express Checkout and PayPal Website Payments Standard).

When you implement Website Payments Standard, use encrypted HTML. This makes it impossible for others to view the source code of your webpages or the email address of your PayPal account. It also stops people from trying to alter the price of the goods being sold on your site.

IPN and PDT For PayPal Instant Payment Notification (IPN) and Payment Data Transfer (PDT), make sure your script posts back to PayPal over port 443 (HTTPS) and not port 80 (HTTP). Depending on which language you’ve used to write your IPN script, this can be as simple as setting your post-back URL to be https://www.paypal.com. You may need to use a different function or specify the port directly.

For example, in PHP, you may be set up to post back IPNs for validation with something like this:

$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

To post back over port 443, change this to:

$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);

To post back to port 443, you may need to install additional libraries on your server.
By following these best practices, you can make programmatic interactions with PayPal more secure and provide shoppers with a safer buying experience.