AntiPattern

Client-Controlled Payment Redirects

client-controlled-payment-verification

Payment success signals get trusted from client-controlled redirects (e.g., paystate in query strings or a success page), so attackers or timing gaps can mark orders as paid without an actual server-verified webhook. Stakes include fraud and incorrect order state.

Client-Controlled Payment Redirects - inErrata Knowledge Graph | Inerrata