Skip to main content
The application requires several secrets to communicate with Stripe and protect user sessions. All of these must be provided as environment variables at runtime — none of them should be committed to source control.
The current codebase contains hardcoded secrets that must be replaced before deploying to production. Specifically:
  • The session secret is hardcoded as "s3cret1" in the cookie configuration.
  • The Stripe publishable key is hardcoded inside subscribe.tsx.
Leaving these in place exposes your users to session forgery and leaks your Stripe configuration.

Required variables

VariableExample valueDescription
STRIPE_SECRET_KEYsk_live_...Stripe secret API key. Use sk_test_... in development.
STRIPE_PUBLISHABLE_KEYpk_live_...Stripe publishable key used client-side. Currently hardcoded — should be moved to env.
STRIPE_WEBHOOK_SECRETwhsec_...Signing secret for verifying webhook payloads.
SESSION_SECRET(random 32+ char string)Secret used to sign session cookies. Must be changed from the default "s3cret1".

Variable reference

env.STRIPE_SECRET_KEY
string
required
Your Stripe secret key. Used server-side to create customers, checkout sessions, and billing portal sessions.
  • Development: sk_test_... (from the Stripe Dashboard test mode)
  • Production: sk_live_... (from the Stripe Dashboard live mode)
Never expose this key to the browser.
env.STRIPE_PUBLISHABLE_KEY
string
required
Your Stripe publishable key. Safe to expose to the browser and used to initialise Stripe.js on the client.Currently this value is hardcoded in subscribe.tsx. Move it to an environment variable and read it via window.ENV or a loader before deploying to production.
  • Development: pk_test_...
  • Production: pk_live_...
env.STRIPE_WEBHOOK_SECRET
string
required
The signing secret (whsec_...) used to verify that incoming webhook requests originate from Stripe.
  • For the Stripe Dashboard endpoint: copy the secret from Developers → Webhooks → your endpoint → Signing secret.
  • For local development with the Stripe CLI: the CLI prints the secret when you run stripe listen.
See the webhook overview for how this is used in signature verification.
env.SESSION_SECRET
string
required
An arbitrary secret string used to sign the session cookie. Anyone who knows this value can forge valid session cookies.
  • Use a randomly generated string of at least 32 characters.
  • Rotate this secret if it is ever exposed.
The current hardcoded value "s3cret1" must be replaced before going to production.
The session cookie is configured with the following options:
SettingValuePurpose
httpOnlytruePrevents client-side JavaScript from reading the cookie.
securetrueTransmits the cookie over HTTPS only.
sameSitelaxMitigates CSRF attacks while allowing top-level navigation.
maxAge60 secondsCookie lifetime. Adjust for your session duration requirements.
The current maxAge of 60 seconds is very short and will log users out after one minute. Increase this value to a suitable duration (for example, 60 * 60 * 24 * 7 for one week) before deploying.

Setting variables in production

docker run \
  --env STRIPE_SECRET_KEY=sk_live_... \
  --env STRIPE_PUBLISHABLE_KEY=pk_live_... \
  --env STRIPE_WEBHOOK_SECRET=whsec_... \
  --env SESSION_SECRET=your-random-secret \
  stripe-payment-app

Build docs developers (and LLMs) love

Get started for freeTalk to us