Purpose
Summarize PayPress security boundaries and trust decisions.
Overview
PayPress relies on Stripe Checkout for payment collection, WordPress capabilities/nonces for admin actions, Stripe signature verification for webhooks, and installation ownership validation for multi-site safety.
How It Works
Sensitive payment data stays with Stripe. PayPress validates requests before creating Checkout Sessions, validates webhook signatures before parsing events, validates ownership before local writes, and exposes only allowlisted public REST state.
Important Components
- Stripe Checkout.
- WordPress admin capabilities.
- Nonces.
- Stripe webhook signature verification.
- Installation UUID ownership.
- Server-side checkout validation.
- Public campaign DTO allowlist.
- Sanitized Payment Form storage.
Data Flow
User/admin/public request -> capability/nonce or server validation -> Stripe or local action -> webhook verification/ownership -> local persistence.
Security Considerations
Do not log sensitive payloads. Do not send raw Payment Form responses to Stripe metadata. Do not trust cached page state for checkout. Do not bypass ownership validation.
Known Limitations
Security plugins, CDNs, and hosts can interfere with webhook or REST requests. Operational configuration still matters.