Developer Documentation
Security Production Checklist
Security Production Checklist
- HTTPS enforced in production
- Cloudflare/WAF configured
- CORS allowlist set
APP_DEBUG=false- Rate limiting enabled
.envprotected and outside public access- Admin routes protected by role/permission checks
- Provider credentials encrypted or masked
- Backups encrypted and stored offsite
- Logs protected from public access
- KYC files outside public web root
- Audit logging enabled
- Admin OTP/2FA flow enabled
- Least-privilege database user
- Directory listing disabled
- Webhook signature verification enabled
- Idempotency enforced on money movement
- PIN lockouts and brute-force protection enabled
- Restore test completed before pilot