Integrate FraudNet

DocsCurrentLast updated: October 12th 2022, @ 12:17:18 pm


FraudNet is a PayPal-developed, JavaScript library embedded into a merchant’s web page to collect browser-based data to help reduce fraud. Upon checkout, data elements are sent to PayPal Risk Services for fraud and risk assessment. FraudNet is for desktop browsers only.

Data collected by FraudNet is used for risk analysis and authentication. PayPal does not share FraudNet data with third parties for their own independent benefit.

To integrate FraudNet, embed a short code snippet in the merchant website and add a custom header to the PayPal call.

1. Embed FraudNet snippet

Embed a FraudNet JavaScript and noscript/ snippet into the page where you're integrating FraudNet. The integration code is based on the non-blocking script loader pattern.

JavaScript

There are 2 parts to the JavaScript snippet:

ElementDescription
FraudNet parametersA script/ parameter block that passes fnparams input parameters to FraudNet.
Loading scriptA script/ element with code that asynchronously loads the FraudNet JavaScript.

Noscript

The noscript/ snippet runs when JavaScript isn't enabled for the application. This element operates independently from the JavaScript snippet.

Parameters

The JavaScript and noscript/ snippets pass parameters to FraudNet. The s and f FraudNet parameters are required for both integrations.

Script attributes

The loading script of the JavaScript snippet uses this attribute in the <script> declaration:

ParameterDescriptionTypeRequired
fnclsThis attribute passes the fnparams key needed to connect with the FraudNet service. The key is fnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99.stringRequired for Javascript snippets

Parameter attributes

The JavaScript and noscript/ snippets use these 2 attributes:

ParameterDescriptionTypeRequiredNotes
`f`The `FraudNet Session Identifier` passes a unique and random identifier for the current transaction or session.StringRequiredMaximum length: 32
`s`Passes a unique flow ID for each web page. See the Modify the code section for details about how to create this ID.StringRequiredMaximum length: 32

The JavaScript snippet also uses this attribute.

ParameterDescriptionTypeRequired
sandboxSet to true for a transaction in a sandbox environment. For a live payment, you can either set this to false or omit this attribute.booleanRequired for sandbox

All other FraudNet parameters are optional.

  1. JavaScript
  2. noscript

JavaScript snippet

The JavaScript snippet requires an fncls attribute set to fnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99.

To find and process parameters, FraudNet JavaScript searches for a script of type application/json with an attribute fncls, and its value must match that string.

FraudNet parameters

Run the following fnparams configuration script on a modern browser with JavaScript enabled to pass parameters to FraudNet.

1<script type="application/json" fncls="fnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99">
2 {
3 "f":"<32_character_GUID>",
4 "s":"<merchant_id>_<page_id>",
5 "sandbox":false
6 }
7 </script>

Loading script

There are 2 options for passing the FraudNet data on the web page:

Option 1: Insert this code after the fnparams configuration script:

1<script type="text/javascript" src="https://c.paypal.com/da/r/fb.js"></script>

Option 2: Append this code after your logic and pass your configuration as options:

1{
2 fnUrl: "https://c.paypal.com/da/r/fb.js";
3}
4function _loadFraudnetConfig(options) {
5 var script = document.createElement("script");
6 script.src = options.fnUrl;
7 document.body.appendChild(script);
8}

Modify the code

  • Set a unique and random identifier for the current transaction or session in the FraudNet f parameter, also known as FraudNet Session Identifier. The maximum length of the parameter is 32 characters.
  • Send the FraudNet f parameter value in the PAYPAL-CLIENT-METADATA-ID HTTP header for the Create order API request in Step 2 of the Integrate Pay upon Invoice page.
  • Set a unique identifier for each web page in the FraudNet s parameter, also known as Source Website Identifier. The maximum length of the parameter is 32 characters. Use <merchant_id>_<page_id> to create unique identifiers for the s parameter. Locate these values as follows:
    • merchant_id - go to your profile and select Account Settings > Business Information > PayPal Merchant ID.
    • page_id - use one of the following values: home-page, search-result-page, category-page, product-detail-page, cart-page, inline-cart-page, checkout-page.

2. Content Security Policy integration

CSP tags

If you are using Content Security Policy (CSP), you must add the following URLs in CSP to an allowlist:

TagAttribute (live)
img-srchttps://c.paypal.com, https://b.stats.paypal.com
frame-srchttps://c.paypal.com
script-srchttps://c.paypal.com

CSP scripts

If your Content Security Policy doesn't allow inline-scripts, use one of the following options:

  • Add unsafe-inline as a directive in your script-src policy, such as Content-Security-Policy: script-src 'unsafe-inline'. This allows access to all inline-resources throughout your app.
  • Implement a nonce value to allowlist the script.

Allowlist inline scripts

You can allowlist specific, inline scripts without using the unsafe-inline directive. Do this by using either a cryptographic nonce (a number used once) or a SHA hash.

To use a nonce, add a nonce attribute in the script tag. You must generate a nonce at random with each page load and insert it into the CSP and the FraudNet script. PayPal recommends encoding a nonce value in Base64 using a cryptographically secure random number generator with at least 128 bits of data.

Note: PayPal recommends not using a static nonce because it's less secure than using the unsafe-inline directive. If attackers use the nonce value, they can bypass all other restrictions in the CSP and execute any script they want.

  1. Nonce
  2. Script hash
1<script nonce=abcRANDOM_NONCE_VALUExyz>
2alert('Hello, world.');
3</script>
4Content-Security-Policy: script-src 'nonce-abcRANDOM_NONCE_VALUExyz'