Learn how to keep your payments secure.
To make sure nobody can interfere with your payments (or find out about your private API key) always stick to the following rules.
Since there is no guarantee an event has actually been sent by the Unzer API, you should always fetch the resource using the API. This way you make sure a hacker can not inject a false payment state into your shop.
In addition, there is no guarantee the events arrive in the same order they have been sent in. Fetching the resource to an event always gives you the latest state.
retrieveUrlto fetch the event’s resource without making sure the domain is legit.
A hacker could send an event with a
retrieveUrl which contains their domain, to spy out your private key or to return fake data to make you believe a payment is completed when it actually is not.
Always fetch the event by creating an API request for the affected resource with correct Unzer API domain.
To learn which URLs must be added to the allowlist for Unzer UI components in your content security policy, please refer to Content security policy section of the UI components page.