How to send a POST request to sellix in php

Question

I'm trying to use sellix.io API to create a payment in PHP, everything works fine in local until I upload the code to the webhost, there I get

{"status":400,"data":null,"message":null,"log":null,"error":"Transaction flagged as potential fraud (xxxxxxxxxxx).","env":"production"}

It says my request is flagged as a potential fraud. Asking around I got told that "sending a payment request from a server which can be considered a VPN or a RDP with no useragent nor fingerprint of that device may be flagged"

How can I send the request with a proper useragent? or fingerprint? this is the code I've been using:

<?php
    $mail = $_GET["mail"];
    $url = "https://dev.sellix.io/v1/payments";

    $data = json_encode(array(
        "title" => "MyProduct",
        "product_id" => "xxxxxxxxxxx",
        "gateway" => "PAYPAL",
        "value" => 20,
        "currency" => "EUR",
        "quantity" => 1,
        "email" => $mail,
        "white_label" => false,
        "return_url" => "https://dev.sellix.io/v1/return" //not sure what this is supposed to do...
    ));

    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_HTTPHEADER, array(
       // "Content-type: application/x-www-form-urlencoded\r\n" .
        'Authorization: Bearer ' . 'xxxxxxxxxxxxxxxx(API KEY)xxxxxxxxxxxxxxxx'
    ));
    echo $response = curl_exec($curl);
    curl_close($curl);
    $finalUrl = strval(json_decode($response)->data->url);
    header("Location: $finalUrl"); //redirects the current page to the payment page.
?>

Answer 1

This is a guess based on the lack of information related to your question on their help page and API documentation. I have listed some tips in the order I would try to debug this:

1: Sending user agent header

Try adding the user-agent header of your client. this will be available in $_SERVER['HTTP_USER_AGENT']

curl_setopt($curl, CURLOPT_HTTPHEADER, array(
        "User-agent: ".$_SERVER['HTTP_USER_AGENT']."\r\n" .
        'Authorization: Bearer ' . 'xxxxxxxxxxxxxxxx(API KEY)xxxxxxxxxxxxxxxx'
    ));`

Caveat: If you are doing some custom ajax you may not get the header. You can also provide a static value, but essentially avoiding fraud is in your best interest.

2: Adding a fingerprint header/cookie

Fingerprinting is (apparently) sending information to identify the browser. according to this OWASP article it could be stored in a cookie called __Secure-Fgp which you would have to add to the request.

This SO answer goes some way to show one method of calculating the firngerprint client side.

Disclaimer: I have not tried this myself. and I would query their support if there is a header this would fit into.

3: Debugging with another product

According to their help page you can set the "max_risk_level" to 100 on a POST /products call, in order to turn off their fraud engine DO NOT DO THIS IN PRODUCTION fraud prevention mechanics are there to prevent you from being cheated as well. But it may help you to find out what is going wrong and getting a proof of concept up and running.