Secure Communications

Using TLS and HTTPS

TLS refers to the process of securely transmitting data between the client—the app or browser that your customer is using—and your server. This was originally performed using the SSL (Secure Sockets Layer) protocol. However, this is outdated and no longer secure, and has been replaced by TLS. The term “SSL” continues to be used colloquially when referring to TLS and its function to protect transmitted data.

Payment pages must make use of a modern version of TLS (e.g., TLS 1.2) as it significantly reduces the risk of you or your customers being exposed to a man-in-the-middle attack. TLS attempts to accomplish the following:

Encrypt and verify the integrity of traffic between the client and your server
Verify that the client is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that you’re encrypting traffic to the right recipient.
Additionally, your customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase your customer conversion rate.

If need be, you can test your integration without using HTTPS, and enable it once you are ready to accept live charges. However, all interactions between your server and Affirm must use TLS 1.2 (i.e., when using our libraries).

Supported Ciphers

Current List of Supported Ciphers as of 02/12/2025

• AEAD-AES128-GCM-SHA2561
• AEAD-AES256-GCM-SHA3842
• AEAD-CHACHA20-POLY1305-SHA2563
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-CHACHA20-POLY1305
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384

Supported Protocols and Ciphers

📘

Security Best Practices

Visit our Security Best Practices page to discover Affirm's recommendations and strategies for keeping sensitive information secure.