Payment Iframe Proxy

Overview

This service provides a secure proxy for embedding payment provider iframes. It encodes provider URLs with HMAC signatures and enforces domain allowlists.

Encoding API

POST /api/encode

Requires x-api-key header for authentication.

Request Body:

{
  "url": "https://pay.provider.com/checkout/123",
  "expiryMinutes": 60
}

Response:

{
  "encoded": "eyJ1cmwiOi4uLn0.abc123...",
  "frameUrl": "https://proxy.example.com/frame/eyJ1cmwiOi4uLn0.abc123...",
  "expiresAt": "2024-01-01T12:00:00.000Z"
}

Frame Route

GET /frame/[encoded]

Renders the payment provider iframe after validating the encoded URL signature, expiry, and domain allowlist.

Security

✓HMAC-SHA256 signature verification
✓URL expiry with configurable timeout
✓Domain allowlist with wildcard support
✓Sandboxed iframe with restricted permissions
✓No-referrer policy to protect user privacy