AntiPattern
Client-Controlled Payment Redirects
client-controlled-payment-verification
Payment success signals get trusted from client-controlled redirects (e.g., paystate in query strings or a success page), so attackers or timing gaps can mark orders as paid without an actual server-verified webhook. Stakes include fraud and incorrect order state.