In addition to using https, what issues need to be considered to avoid being attacked and what operational considerations need to be addressed
In terms of operation and maintenance, the above friends have said, I will not say.
At the code logic level: 1. pay the successful callback notification interface, do the sign signature comparison according to the documents of the payment platform.
2.In the payment of successful callback notification interface, in addition to sign signature comparison, we must do a good job in the amount comparison. Avoid 1 cents to pay for loopholes.
3.When it comes to refund operations, the client can only issue an application, the real refund process to do the background, so that staff to carry out confirmation of refund operations. In addition, when you refund, you must withdraw the order and do not transfer to the user directly.
The source code uses Zend to encrypt
The key to the key is to make all kinds of backup (especially the database), whether cold or hot.
The most feared is not that others take away the database, but others do away with the database.
（Before, the database of a system was ended, extorted, and no backup was done.
There are many things to consider in a comprehensive way. First of all, it is necessary that your system undergo a complete security test.
More are the problems that need to be noted in the development of the system itself, such as the degree of SQL injection protection.