Developer Documentation

Security Review Checklist

Security Review Checklist

• HTTPS enforced in production.
• CORS allowlist contains only trusted app/dashboard origins.
• JWT access tokens have short TTL.
• Refresh tokens are rotated and stored hashed.
• Passwords use password_hash().
• Transaction PINs use separate hashes.
• OTP codes are hashed and expire.
• API keys are hashed and full key is shown once.
• Webhook signatures are validated.
• Idempotency keys protect financial creation/confirmation endpoints.
• Rate limiting covers IP, user, endpoint, OTP, PIN, auth, and API key traffic.
• Brute-force controls lock or slow suspicious login/PIN/OTP attempts.
• Admin 2FA/OTP is required before pilot admin access.
• File uploads are type/size limited.
• KYC files are outside public root.
• Logs do not contain raw secrets, passwords, PINs, or full provider credentials.
• No secrets are committed in code.
• .env is not accessible over HTTP.
• Directory listing is disabled.
• Input validation is applied to request bodies and route parameters.
• PDO prepared statements are used for database writes and reads.
• API responses are JSON encoded to reduce XSS risk.
• Dashboard/admin frontends must add CSRF protection when built.
• Audit logging is enabled for sensitive actions.
• Fraud/risk logging is enabled for suspicious behavior.
• Backups should be encrypted before offsite transfer.