Follow these best practices to ensure your web Drop-in/Components integration is secure, performant, and compliant.
Requirements
Before you begin, take into account the following requirements, limitations, and preparations.
| Requirement | Description |
|---|---|
| Integration type | Use these best practices to build your Web Drop-in or Web Components integration. |
Keep your integration up-to-date
Staying up-to-date on the latest version of Drop-in/Components is crucial for new features, security updates, and compliance.
Handle web framework re-renders
Modern frameworks can re-render UI components, which can cause unexpected behavior in the checkout. To prevent this, initialize AdyenCheckout and mount your Components only once, when you are ready to display the payment methods.
Some web frameworks might require some extra attention when using specific approaches.
- React.StrictMode: this leads to re-renders and re-executions of effects and callbacks. Ensure that
AdyenCheckoutand Components are not initialized multiple times. - Custom hooks: you can encapsulate the initialization of
AdyenCheckoutin a custom hook. If you do, ensure your hook returns the instance of the Component that you mount in your UI. And most importantly, make sure that the mounting is executed only once, in the React component that consumes that hook.
For example, when using a custom hook in React, ensure the component is not mounted multiple times on re-renders.
Manage Server-Side Rendering (SSR)
Drop-in/Components depend on browser APIs like window and document. If you use SSR, make sure the code that creates an AdyenCheckout instance and mounts a Component is executed on the client side.
Use HTTPS for your checkout
To protect sensitive payment data, host your Adyen checkout on a page that uses HTTPS.
In your live environment, you need to use HTTPS. It encrypts the connection between the shopper browser and your server, which prevents data interception and tampering. If you do not use HTTPS in production, it leads to security warnings and can cause payments to fail.
For local development and testing, you can use HTTP. However, make sure you switch to HTTPS before you go live. Read about end-to-end online payments testing for more information.
Avoid <iframe> elements
We do not recommend integrating your checkout in an <iframe> due to potential complexities. When an <iframe> is hosted on a different domain than its parent, redirect payment flows doesn't work. This is because the <iframe> can't redirect when the parent is a different domain. This restriction leads to failed transactions and a poor user experience. Some payment methods may also behave differently or require a specific configuration when used in an <iframe>.
If you must use an <iframe>, host it on the same domain as the parent page.
Avoid WebViews
For native mobile apps, we recommend that you do not use WebViews to display the checkout.
WebViews are less secure and functional than native components and can cause performance issues, especially with payment methods that require redirects.
Instead, you should implement native components, for example:
- Custom Tabs for Android
- SFSafariViewController for iOS.
Ensure browser compatibility
Our Drop-in/Components are designed to work seamlessly with recent versions of all major browsers. To ensure the highest security standards and optimal performance we focus on modern browsers that receive regular security updates.
Supported desktop browsers
| Browser | Version |
|---|---|
| Chrome | 80 or later |
| Safari | 15.4 or later |
| Firefox | 74 or later |
| Microsoft Edge | 80 or later |
| Opera | 67 or later |
Supported mobile browsers
| Platform | Browser | Version requirement |
|---|---|---|
|
iOS |
Safari or any browser using WebKit |
iOS 15.4 or later |
| Android |
80 or later |
|
|
12 or later |
Understand cookie usage
Drop-in/Components may set one cookie, _RP_UID, which is generated by our internal risk management module. This module is enabled by default and helps identify suspicious browsing or purchasing patterns. We do not recommend disabling it.
Other cookies, from adyen.com, may be present if you previously visited our websites and accepted cookies. To see only the cookies used by your integration, clear your browser data or use an incognito window for testing.
Account for interactions with browser extensions
We do not take responsibility for how Drop-in/Components interact with browser extensions like ad blockers, cookie managers, or password managers. An improperly configured extension can block an <iframe> or other elements required for payment methods to function correctly.
Enhance your integration with Adyen Uplift
We recommend that you use features of Adyen Uplift in your integration to increase payment conversion, simplify fraud management, and reduce the cost of payments.
Manage client-side resources
There are two ways to load the client-side resources for Web Drop-in/Components:
- Load through the Adyen Web npm package.
Recommended - Embed the Adyen Web script and stylesheet into your HTML file.
Our integration guides for the Sessions and Advanced flows include the instructions for both options. If you decide to embed the script and stylesheet into your HTML file, there are additional considerations.
Embed the Adyen Web script and stylesheet into your HTML file
When embedding the script and stylesheet, make sure that the URL region matches with the region of your live endpoints and the environment you configured for Drop-in/Components in your Sessions, or Advanced flow integration.
We also recommend to use Subresource Integrity hashes to ensure security.
Implement Subresource Integrity hashes
We recommend that you implement Subresource Integrity (SRI) to ensure that the files you are loading from Adyen have not been manipulated or tampered with by malicious actors.
To use the SRI hash, you need to add an integrity attribute when specifying <script> or <link> elements. Browsers will also check for the crossorigin attribute to ensure that the origin allows Cross-Origin Resource Sharing (CORS). If a browser detects that the file's hash does not match the specified hash, the browser will not load the resource. To know which browsers support SRI, refer to this browser compatibility list.
Adyen provides the SRI hash that you include as the integrity attribute. You can find the SRI hashes for all versions of our JavaScript and CSS files in our release notes, under Updating to this version.
For example, here is how you specify version 4.2.0 adyen.js and adyen.css resources:
<script src="https://checkoutshopper-live.adyen.com/checkoutshopper/sdk/4.2.0/adyen.js"
integrity="sha384-SGA+BK9i1sG5N4BTCgRH6EGbopUK8WG/azn/TeIHYeBEXmEaB+NT+410Z9b1ii7Z"
crossorigin="anonymous"></script><link rel="stylesheet"
href="https://checkoutshopper-live.adyen.com/checkoutshopper/sdk/4.2.0/adyen.css"
integrity="sha384-oT6lIQpTr+nOu+yFBPn8mSMkNQID9wuEoTw8lmg2bcrFoDu/Ae8DhJVj+T5cUmsM"
crossorigin="anonymous">Test your integration
When you have a working online payments integration, test:
- In a secure context
- On real mobile devices
For more information, read:
- End-to-end testing documentation, providing more general testing advice.
- Testing payments and modifications documentation, listing scenarios you can test your integration on.