Skip to main content

Security

API Communications

Communication between the Comgate payment system and the e-shop takes place in three ways.

  • The server part of the e-shop solution connects as a client to the server part of the payment gateway and calls methods for establishing payment, obtaining payment status in the background, confirming preauthorization, cancelling preauthorization, and obtaining a list of payment methods.
  • The server part of the payment gateway connects as a client to the server part of the e-shop solution and calls a method to transfer the payment result in the background.
  • The payer's (user's) browser is redirected from the e-shop to the payment gateway and then back to the e-shop from the payment gateway.

In all three cases, the use of the encrypted HTTPS protocol is necessary. The payment gateway only supports secure TLS/SSL protocol settings with the following allowed ciphers: https://github.com/cloudflare/sslconfig/blob/master/conf

In the case of server-to-server communication, communication is secured using a password (secret) and IP whitelist settings.

For REST, a header is added in the form: "Authorization: Basic base64_encode(merchant:secret)". Merchant is the E-shop identifier in the Comgate system - you can find it in the Client Portal in the section e-shop settings - e-shop connection. Secret is the password.

Whitelist

Allowed IP addresses can be written in the format IPv4 or IPv4/MASK. Only one value is allowed per line. A comment can be added at the end of each line after the definition itself, separated from the value by at least one space.

If you are unable to determine the range of IP addresses for your system, you can enter the value 0.0.0.0/0, which allows addresses from all over the world. This setting is risky from a security standpoint and it is recommended to avoid it.

These parameters can be set in the client portal environment.

Example:

8.8.8.8 IP Google
1.1.1.1 IP cloudflare
8.8.0.0/16 Subnet Google
1.1.1.0/24 Subnet Cloudflare
0.0.0.0/0 Entire internet

Comgate IP ranges

Cloudflare service precedes the payment initiation. You can find the list of allowed IP addresses of Cloudflare here: https://www.cloudflare.com/ips-v4

The IP address range used by the Comgate system is defined as 89.185.236.55/32. This range is only used for transferring the payment result in the background.

Content Security Policy (CSP)

If you use the Content-Security-Policy header on your website and want to display the Comgate payment gateway in an iframe on your page in any way, it is necessary to add a special directive frame-src *; to the CSP header. This specifies valid sources for loading nested contexts using elements such as <frame> and <iframe>.

For the frame-src directive, it is not sufficient to define only the domains of the Gomgate payment gateway. All external contexts must always be explicitly allowed, i.e., *.

The reason for this setting is:

  • the necessity to display the page with 3D Secure during card payments involving the payer,
  • redirection to the web application at some payment method providers.

Example of a CSP header:

Content-Security-Policy:
    default-src 'self';
    script-src 'self';
    style-src 'self';
    img-src 'self';
    connect-src 'self';
    form-action 'self';
    frame-src *;
    frame-ancestors 'none';
    upgrade-insecure-requests

More information about Content Security Policy can be found on the MDN web docs pages.

For correct assembly of the Content-Security-Policy header, we recommend using a tool like Report URI.