Integrate FraudNet
DocsCurrentLast updated: April 6th 2022, @ 4:06:12 pm
FraudNet is a PayPal-developed, JavaScript library embedded into a merchant’s web page to collect browser-based data to help reduce fraud. Upon checkout, data elements are sent to PayPal Risk Services for fraud and risk assessment. FraudNet is for desktop browsers only.
Data collected by FraudNet is used for risk analysis and authentication. PayPal does not share FraudNet data with third parties for their own independent benefit.
To integrate FraudNet, embed a short code snippet in the merchant website and add a custom header to the PayPal call.
1. Embed FraudNet snippet
Embed a FraudNet JavaScript or noscript snippet into the page where you're integrating FraudNet.
The integration code is based on the non-blocking script loader pattern. There are three parts to the integration:
script/
element used as a parameter block for passing input parameters to FraudNetscript/
element with code for asynchronously loading the FraudNet JavaScriptnoscript/
element if JavaScript is not enabled for the application
- JavaScript
- noscript
The JavaScript passes parameters to FraudNet.
The
s
andf
FraudNet parameters are required. All other FraudNet parameters are optional.The
fncls
attribute is required, and its value must befnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99
. To find and process parameters, FraudNet JavaScript searches for a script of typeapplication/json
with an attributefncls
, and its value must match that string.This block should work on any modern browser that has JavaScript enabled.
<script type="application/json" fncls="fnparams-dede7cc5-15fd-4c75-a9f4-36c430ee3a99"> { "f":"change_this_to_32char_guid", "s":"unique_flowid_per_web_page" // unique ID for each web page } </script>
There are two options for passing the data:
Option 1: Insert this code after the "fnparams" configuration JSON
<script type="text/javascript" src="https://c.paypal.com/da/r/fb.js"></script>
Option 2: Run FraudNet after your logic by appending it
// Pass your configuration as options: { fnUrl: "https://c.paypal.com/da/r/fb.js" }
function _loadFraudnetConfig(options) {
var script = document.createElement('script');
script.src = options.fnUrl;
document.body.appendChild(script);
}
Modify the code
- Set a unique and random identifier for the current transaction (or session) in the FraudNet
f
parameter, also known asFraudNet Session Identifier
. The maximum length of the parameter is 32 characters. - Send the FraudNet
f
parameter value in thePAYPAL-CLIENT-METADATA-ID
HTTP header for the Create order API request in Pay upon Invoice integration Step 2. - Set a unique identifier for your web page in the FraudNet
s
parameter, also known asSource Website Identifier
. Each web page you integrate with FraudNet must have a different source identifier. The maximum length of the parameter is 32 characters. Suggested formula for FraudNets
parameter is<merchant_id>_<page_id>
merchant_id
- You can find this in your profile, select Account Settings > Business Information >PayPal Merchant ID
.page_id
- Use one of the following values -home-page
,search-result-page
,category-page
,product-detail-page
,cart-page
,inline-cart-page
,checkout-page
.
2. Content Security Policy integration
CSP tags
If you are using Content Security Policy (CSP), you must add the following URLs in CSP to an allowlist
:
Tag | Attribute (live) |
---|---|
img-src | https://c.paypal.com , https://b.stats.paypal.com |
frame-src | https://c.paypal.com |
script-src | https://c.paypal.com |
CSP scripts
If your Content Security Policy doesn't allow inline-scripts, use one of the following options:
- Add
unsafe-inline
as a directive in yourscript-src policy
, such asContent-Security-Policy: script-src 'unsafe-inline'
. This allows access to all inline-resources throughout your app. - Implement a nonce value to
allowlist
the script.
Allowlist inline scripts
You can allowlist
specific, inline scripts without using the unsafe-inline
directive. Do this by using either a cryptographic nonce (a number used once) or a SHA hash.
To use a nonce, add a nonce attribute in the script tag. You must generate a nonce at random with each page load and insert it into the CSP and the FraudNet script. PayPal recommends encoding a nonce value in Base64 using a cryptographically secure random number generator with at least 128 bits of data.
Note: PayPal recommends not using a static nonce because it's less secure than using the
unsafe-inline
directive. If attackers use the nonce value, they can bypass all other restrictions in the CSP and execute any script they want.
- Nonce
- Script hash
1<script nonce=abcRANDOM_NONCE_VALUExyz>2alert('Hello, world.');3</script>4Content-Security-Policy: script-src 'nonce-abcRANDOM_NONCE_VALUExyz'