Follow these best practices to ensure your web Drop-in/Components integration is secure, performant, and compliant.
Requirements
Before you begin, take into account the following requirements, limitations, and preparations.
| Requirement | Description |
|---|---|
| Integration type | Use these best practices to build your Web Drop-in or Web Components integration. |
Keep your integration up-to-date
Staying up-to-date on the latest version of Drop-in/Components is crucial for new features, security updates, and compliance.
Handle web framework re-renders
Modern frameworks can re-render UI components, which can cause unexpected behavior in the checkout. To prevent this, initialize AdyenCheckout and mount your Components only once, when you are ready to display the payment methods.
Some web frameworks might require some extra attention when using specific approaches.
- React.StrictMode: this leads to re-renders and re-executions of effects and callbacks. Ensure that
AdyenCheckoutand Components are not initialized multiple times. - Custom hooks: you can encapsulate the initialization of
AdyenCheckoutin a custom hook. If you do, ensure your hook returns the instance of the Component that you mount in your UI. And most importantly, make sure that the mounting is executed only once, in the React component that consumes that hook.
For example, when using a custom hook in React, ensure the component is not mounted multiple times on re-renders.
Manage Server-Side Rendering (SSR)
Drop-in/Components depend on browser APIs like window and document. If you use SSR, make sure the code that creates an AdyenCheckout instance and mounts a Component is executed on the client side.
Use HTTPS for your checkout
To protect sensitive payment data, host your Adyen checkout on a page that uses HTTPS.
In your live environment, you need to use HTTPS. It encrypts the connection between the shopper browser and your server, which prevents data interception and tampering. If you do not use HTTPS in production, it leads to security warnings and can cause payments to fail.
For local development and testing, you can use HTTP. However, make sure you switch to HTTPS before you go live. Read about end-to-end online payments testing for more information.
Avoid <iframe> elements
We do not recommend integrating your checkout in an <iframe> due to potential complexities. When an <iframe> is hosted on a different domain than its parent, redirect payment flows doesn't work. This is because the <iframe> can't redirect when the parent is a different domain. This restriction leads to failed transactions and a poor user experience. Some payment methods may also behave differently or require a specific configuration when used in an <iframe>.
If you must use an <iframe>, host it on the same domain as the parent page.
Avoid WebViews
For native mobile apps, we recommend that you do not use WebViews to display the checkout.
WebViews are less secure and functional than native components and can cause performance issues, especially with payment methods that require redirects.
Instead, you should implement native components, for example:
- Custom Tabs for Android
- SFSafariViewController for iOS.
Ensure browser compatibility
Our Drop-in/Components are designed to work seamlessly with recent versions of all major browsers. To ensure the highest security standards and optimal performance we focus on modern browsers that receive regular security updates.
Supported desktop browsers
| Browser | Version |
|---|---|
| Chrome | 80 or later |
| Safari | 15.4 or later |
| Firefox | 74 or later |
| Microsoft Edge | 80 or later |
| Opera | 67 or later |
Supported mobile browsers
| Platform | Browser | Version requirement |
|---|---|---|
| iOS | Safari or any browser using WebKit | iOS 15.4 or later |
| Android | Chrome | 80 or later |
| Samsung Internet | 12 or later |
Understand cookie usage
Drop-in/Components may set one cookie, _RP_UID, which is generated by our internal risk management module. This module is enabled by default and helps identify suspicious browsing or purchasing patterns. We do not recommend disabling it.
Other cookies, from adyen.com, may be present if you previously visited our websites and accepted cookies. To see only the cookies used by your integration, clear your browser data or use an incognito window for testing.
Account for interactions with browser extensions
We do not take responsibility for how Drop-in/Components interact with browser extensions like ad blockers, cookie managers, or password managers. An improperly configured extension can block an <iframe> or other elements required for payment methods to function correctly.
Test your integration
When you have a working online payments integration, test:
- In a secure context
- On real mobile devices
For more information, read:
- End-to-end testing documentation, providing more general testing advice.
- Testing payments and modifications documentation, listing scenarios you can test your integration on.