To ensure that the form and details cannot be tampered with, you can choose to sign the links. Here's how to do it:
- Specify which fields you want to protect. You may choose none, any or all of the fields.
- Set the field as protected by marking the field name as a value to the key "data_readonly".
- Repeat this for all the fields you want to protect (the output querystring is similar to what you would get with an HTML form with a select multiple attribute).
This is an example of a link with all fields protected. You may verify that tamper protection is on by trying to edit any of the read-only fields in the URL (such as amount).
The procedure for generating the signature is straightforward.
1. Concatenate the values of the read-only fields (in lexicographical order of the keys in lower case), with each value separated by a pipe (|).
2. The resultant string is signed using the HMAC-SHA1 algorithm using a key/salt that we'll provide. There is a more detailed explanation on generating the signature here.
You use the key "data_sign" to specify the signature.
To get your key/salt, click here.
You also have the option to not let any transaction take place without signing of links. Write to us to enable this.