Is the Hosted Account Management URL Secure?

The Hosted Account Management link will automatically login anyone with the link as the customer, so that security measures are in place to protect the customer's sensitive data. The customer's payment details are encrypted. Additionally, the Hosted Account Management/ Billing URL strings include a 32-character account token (not the account code), with each character having 36 possibilities (a-z, 0-9). What that means is, if someone were to attempt a brute force attack by appending a possible account token to the base URL, that person would have to hit about 153,249,500,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possible values.

For additional security, instead of using the Hosted Account Management URL you can set up the Hosted Account Management pages - Account Login. This will turn on the full Hosted Account Management portal for your customers. With this setting your customers will be required to create logins. Once logged in customers can view and manage their subscriptions, invoices, and billing information. This is a great alternative to the Hosted Billing link or in conjunction.

We have more information on this in our docs here: https://docs.recurly.com/docs/hosted-account-management#section-account-login

 

Comments

0 comments

Please sign in to leave a comment.