What is the purpose of the client secret ID?
Having a unique secret ID for every client is intended to prevent them from potentially trying to see invoices that don’t belong to them.
When an invoice is sent to a client, the URL looks something like this:
There is a chance that when viewing the invoice that a client who knows a little about web development and query strings might try to be sneaky and change one or more of the query string values in the URL, in an attempt to see if they can view other invoices that don’t belong to them (for example, changing invoice_ID=1000 to invoice_ID=500).
It will be impossible for the client to see an invoice that doesn’t belong to them as long as the client has a unique secret ID. Invoice Rocket checks to make sure the invoice_ID and client_ID belong to the client with the matching secret_ID, and if this check passes then they can view the invoice. If the check fails then they will see a 404 page.
Note: If a client managed to get access to another invoice after guessing a different existing invoice_ID, it would only be for an invoice they have already been sent anyway.
- About the System Report tool
- Are there any browser extensions or add-ons?
- Is Invoice Rocket a plug-in or a theme?
- What is the purpose of the client secret ID?
- Is Invoice Rocket a hosted service?
- Will Invoice Rocket work on a multi-site instance?
- Can I use it as a child theme?
- Will Invoice Rocket work on the wordpress.com hosted service?
- Language support
- Can I contract you to do some custom work for Invoice Rocket?
- Can I make suggestions for Invoice Rocket?
- I need help with something that isn’t mentioned here
Subscribe to be first to learn about any new features, updates or special offers.