Stripe
What is Stripe?
Stripe-operated web crawler (identifiable via a Stripe user agent) that visits merchant websites to collect public metadata and signals for Stripe products. It typically respects robots.txt and fetches lightweight resources.
Legitimate uses
– Risk and underwriting: verify website presence, business model, prohibited products.
– Fraud/risk signals for Radar: domain reputation, content cues, checkout presence.
– Branding and UX: fetch logo, favicon, Open Graph for Checkout, Receipts, Link.
– Compliance: content checks for restricted businesses; descriptor validation.
– Integration health: detect embedded Checkout/Elements for diagnostics.
Fraud/abuse considerations (by attackers, not Stripe)
– Spoofing Stripe UA to bypass bot allowlists and scrape or inventory-hoard.
– Recon to find exposed keys, test pages, misconfigs before card testing.
– Data harvesting (SKUs/pricing) to enable triangulation fraud.
– Phishing/pretexting: “Stripe verification” crawls as social-engineering cover.
Why is Stripe crawling my site?
It’s typically verifying the business behind your account and the URLs you’ve supplied—checking product/offer pages, pricing, availability, refund/terms/privacy policies, and overall legitimacy/compliance—both during onboarding and periodic risk reviews. It may also validate links embedded in Checkout/Invoices, enrich risk and dispute investigations, and confirm that customer-facing flows are functional and safe. Potential downsides: incremental non-human traffic inflating analytics, triggering WAF/bot rules, skewing conversion or abandonment metrics, firing pixels/A/B allocations, and affecting inventory counters or rate-limited APIs. It can also touch staging or gated areas if those URLs were shared, create cache churn, and, if it encounters inconsistencies (e.g., mismatched policies/pricing), contribute to risk flags or payout delays.
How to block Stripe?
1) User-Agent filtering at the web server
Nginx: if ($http_user_agent ~* "Stripe") { return 403; }
Apache:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "(?i)Stripe"
RewriteRule .* - [F]
2) IP/ASN/network blocking
Block known IP ranges or hosting ASNs used by Stripe if identified and unwanted.
3) Rate limiting and dynamic banning
Use Nginx limit_req or similar to throttle high-frequency requests from this bot; optionally use fail2ban for auto-blocking.
4) JavaScript token + honeypot traps
Require JS-generated signed cookies/tokens; add honeypot URLs and block any Stripe agent that touches them.
Block and Manage Stripe with DataDome
See which bots and AI agents bypass your defenses
Create your account to start analyzing and mitigating malicious bots and AI-drive threats in real-time