checkout_settings and security options.
For template syntax ([[ ]], bindings, checkout.* in the page builder), see Frontend Template Engine: Checkout.
1) Enable checkout on a page
Checkout behavior runs only when the page is marked as a checkout page:- Open Page List → Edit Page
- Enable Is checkout page
- Save
checkout scope data, submit handling, payment processing, and post-purchase redirects may not run as documented here.
2) Checkout scope (frontend)
On checkout pages, thecheckout scope is available to templates and bindings.
Common keys:
Template engine details: Checkout.
3) Supported form field names
These align with what the checkout runtime validates and submits (shipping-first; billing can mirror shipping). Shipping / personal (primary)first_name,last_name,emailphone(optional)shipping_address,shipping_address2(optional)shipping_country,shipping_city,shipping_state,shipping_zip- Optional explicit shipping names:
shipping_first_name,shipping_last_name
billing_first_name,billing_last_namebilling_address,billing_address2,billing_country,billing_city,billing_state,billing_zip
shipping_same_as_billing→checkout.shipping_same_as_billing
- Use
data-checkout-error="<field_name>"matching the inputnamefor inline validation messages.
4) checkout_settings (backend script)
Configure checkout using variables set in a backend script on the same checkout page (<script scope="backend">). The platform reads checkout_settings when the page is rendered.
4.1 Countries and US states allowlist
Keys:checkout_settings.countries→ drivescheckout.countriesin the UIcheckout_settings.usStates→ drivescheckout.usStatesfor US state dropdowns
- Two-letter codes as strings:
'US','ca','tx' { value: 'US' }{ value: 'US', label: 'United States' }
- Values are normalized (e.g. uppercase) and validated against built-in lists.
- Invalid entries are dropped.
- If nothing valid remains, the full default lists are used (not restricted).
- The effective allowlist is stored in the visitor session and re-validated on submit, so blocked values cannot be forced with browser devtools alone.
4.2 Example: countries only
4.3 Example: US states only
5) Checkout abuse protection (card-testing / velocity)
Optional progressive friction on main sale card checkout submissions (POST /process-checkout). It is off by default unless you set checkout_settings.abuse_protection.enabled to true.
This is separate from site-wide page rate limiting / HTML captcha on normal page views. Abuse protection here applies only to the checkout payment submit path when enabled on the checkout page.
5.1 Configuration
You can omit
thresholds entirely to use defaults. Partial overrides are merged with defaults for any key you specify.
5.2 What is protected
- In scope: Main sale submissions to
POST /process-checkoutwhen the request is not marked as an upsell (type≠upsell). - Out of scope: One-click upsell charges, PayPal/Klarna flows that do not use the same submit path, and arbitrary API calls. Tighten other surfaces separately if needed.
5.3 Session lifecycle
- When a visitor loads a checkout page, sanitized abuse settings are stored in session (with
brand_id, checkoutpage_idfrom the render context, and a timestamp). - Each qualifying
POST /process-checkoutis counted per visitor IP inside a checkout-specific bucket (not mixed with generic page-view rate limits). - If settings are stale (e.g. older than 24 hours) or brand / page no longer match the request, the stored config is cleared and protection does not apply until the visitor loads checkout again.
- After a successful checkout captcha verification, the visitor receives a short-lived “verified” flag for checkout (default 15 minutes) and the checkout attempt counter for that IP is reset, so legitimate users can complete payment after solving the challenge.
5.4 Progressive behavior
Withinwindow_ms, counting checkout submit attempts for the IP:
Local and private IPs are not rate-limited by this checkout guard.
5.5 JSON response fields (checkout submit)
When abuse protection returns an error-shaped response, the JSON may include:error_code values (submit / middleware)
Captcha verification (handled inside checkout UI, not a merchant integration surface) may return
CHECKOUT_CAPTCHA_INVALID, CHECKOUT_CAPTCHA_DISABLED, CHECKOUT_CAPTCHA_SAVE_FAILED, or CHECKOUT_CAPTCHA_ERROR if something goes wrong; the UI refreshes the challenge or shows an error.
5.6 Tuning and false positives
- Corporate NAT or shared IPs can concentrate traffic on one address; if legitimate buyers are challenged too often, raise
captcha_requestsor widenwindow_ms. - For testing, use low thresholds only on a sandbox checkout or test brand.
- If protection “never fires,” confirm the checkout page was loaded in the same browser session before submit (session must contain the config).
6) Payment panel and submit wiring
Recommended card flow:<checkout-cc-panel> attributes
The panel builds its UI client-side from these attributes and
efScope.checkout. When PayPal or Klarna is configured, the panel renders as a tabbed accordion (PayPal / Klarna / Card). Otherwise it renders card fields only.
Smart field detection
The card panel automatically detects which checkout fields are present on the page and fills in any gaps:- Cardholder name: If
first_nameandlast_nameinputs are not on the page, a “Cardholder Name” field appears inside the card panel. - Billing details: If no
billing_addressorshipping_addressinputs are on the page, the card panel shows a billing details section (name, country, address line). - Auto-copy: When billing fields are inside the card panel and no shipping fields exist on the page, billing values are automatically copied to shipping during submission (and vice versa).
Wallet contact field auto-detection
Apple Pay and Google Pay automatically detect which contact fields to request from the wallet based on which checkout fields are on the page:
No configuration is needed. For digital products that only need email and payment, the wallet skips address collection entirely.
<checkout-apple-pay />
Standalone Apple Pay button placement. Renders a container where the Apple Pay button appears (when the customer’s device supports it). Use this to position Apple Pay separately from the card panel:
Wallet conditional display
After the payment form loads,checkout.wallet_available is set with { applePay: true/false, googlePay: true/false }. Use template-if to show or hide elements:
Styling checkout fields
Checkout input fields (floating labels, focus rings, active label color) respond to a single CSS variable:
Set it in the page’s
<style> block to match your brand:
:root:
ef-floating-input, ef-form-input) and quiz fields (ef-quiz-floating-input) inherit the value automatically. No other changes are needed.
Styling the wallet divider
The “or pay another way” divider between Apple Pay and the card panel uses theef-wallet-divider classes. These are not styled by the platform — define them in your page’s <style> block so each page can match its own design:
7) After successful payment (redirects)
- If the server returns
redirectUrl, the visitor is sent there. - Otherwise, the default purchase confirmation route is used (query parameters typically include order and email).
8) Troubleshooting
Related docs
- How to design a checkout page — build walkthrough and HTML patterns
- Frontend Template Engine: Checkout —
checkout.*in templates - Frontend Template Engine: Cart — cart lines, bumps, qty controls
- Checkout redirect behavior — post-checkout routing
- reCAPTCHA setup — site-wide captcha (separate from checkout abuse modal)