Integrate FraudNet

DocsCurrentLast updated: April 6th 2022, @ 4:06:12 pm


FraudNet is a PayPal-developed, JavaScript library embedded into a merchant’s web page to collect browser-based data to help reduce fraud. Upon checkout, data elements are sent to PayPal Risk Services for fraud and risk assessment. FraudNet is for desktop browsers only.

Data collected by FraudNet is used for risk analysis and authentication. PayPal does not share FraudNet data with third parties for their own independent benefit.

To integrate FraudNet, embed a short code snippet in the merchant website and add a custom header to the PayPal call.

1. Embed FraudNet snippet

Embed a FraudNet JavaScript or noscript snippet into the page where you're integrating FraudNet.

The integration code is based on the non-blocking script loader pattern. There are three parts to the integration:

  • script/ element used as a parameter block for passing input parameters to FraudNet
  • script/ element with code for asynchronously loading the FraudNet JavaScript
  • noscript/ element if JavaScript is not enabled for the application
  1. JavaScript
  2. noscript
  • The JavaScript passes parameters to FraudNet.

  • The s and f FraudNet parameters are required. All other FraudNet parameters are optional.

  • The fncls attribute is required, and its value must be fnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99. To find and process parameters, FraudNet JavaScript searches for a script of type application/json with an attribute fncls, and its value must match that string.

  • This block should work on any modern browser that has JavaScript enabled.

    <script type="application/json" fncls="fnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99">
        {
            "f":"change_this_to_32char_guid",
            "s":"unique_flowid_per_web_page"        // unique ID for each web page
        }
    </script>
    

There are two options for passing the data:

Option 1: Insert this code after the "fnparams" configuration JSON

<script type="text/javascript" src="https://c.paypal.com/da/r/fb.js"></script>

Option 2: Run FraudNet after your logic by appending it

// Pass your configuration as options: { fnUrl: "https://c.paypal.com/da/r/fb.js" }
function _loadFraudnetConfig(options) {
  var script = document.createElement('script');
  script.src = options.fnUrl;
  document.body.appendChild(script);
}

Modify the code

  • Set a unique and random identifier for the current transaction (or session) in the FraudNet f parameter, also known as FraudNet Session Identifier. The maximum length of the parameter is 32 characters.
  • Send the FraudNet f parameter value in the PAYPAL-CLIENT-METADATA-ID HTTP header for the Create order API request in Pay upon Invoice integration Step 2.
  • Set a unique identifier for your web page in the FraudNet s parameter, also known as Source Website Identifier. Each web page you integrate with FraudNet must have a different source identifier. The maximum length of the parameter is 32 characters. Suggested formula for FraudNet s parameter is <merchant_id>_<page_id>
    • merchant_id - You can find this in your profile, select Account Settings > Business Information > PayPal Merchant ID.
    • page_id - Use one of the following values - home-page, search-result-page, category-page, product-detail-page, cart-page, inline-cart-page, checkout-page.

2. Content Security Policy integration

CSP tags

If you are using Content Security Policy (CSP), you must add the following URLs in CSP to an allowlist:

TagAttribute (live)
img-srchttps://c.paypal.com, https://b.stats.paypal.com
frame-srchttps://c.paypal.com
script-srchttps://c.paypal.com

CSP scripts

If your Content Security Policy doesn't allow inline-scripts, use one of the following options:

  • Add unsafe-inline as a directive in your script-src policy, such as Content-Security-Policy: script-src 'unsafe-inline'. This allows access to all inline-resources throughout your app.
  • Implement a nonce value to allowlist the script.

Allowlist inline scripts

You can allowlist specific, inline scripts without using the unsafe-inline directive. Do this by using either a cryptographic nonce (a number used once) or a SHA hash.

To use a nonce, add a nonce attribute in the script tag. You must generate a nonce at random with each page load and insert it into the CSP and the FraudNet script. PayPal recommends encoding a nonce value in Base64 using a cryptographically secure random number generator with at least 128 bits of data.

Note: PayPal recommends not using a static nonce because it's less secure than using the unsafe-inline directive. If attackers use the nonce value, they can bypass all other restrictions in the CSP and execute any script they want.

  1. Nonce
  2. Script hash
1<script nonce=abcRANDOM_NONCE_VALUExyz>
2alert('Hello, world.');
3</script>
4Content-Security-Policy: script-src 'nonce-abcRANDOM_NONCE_VALUExyz'