I was reading a Stripe tutorial last week and watched the author write amount: req.body.amount . That single line lets any user buy Premium for $1. It's also a common pattern in Stripe Checkout starter code. This post is about why, and how to make it impossible. The setup You're building a paywalled product. You wire up Stripe Checkout, follow a popular tutorial, ship it. Looks great. Tests pass. Users are paying. Six months later, someone opens DevTools, edits the request body, and pays €1 for your Premium plan. Your Stripe dashboard shows a successful charge. Stripe doesn't validate your business logic. It charged what it was told to charge. Your database shows a Premium subscription. Your billing logic is doing exactly what you wrote. This is price tampering . It happens at the one line where the server decides what to charge. The vulnerable pattern Here's the shape of the bug. Paraphrased from a tutorial I won't link.…