Security Best Practices

Keep your Corex402 deployment secure

Private Key Management

❌ DON'T DO THIS
// NEVER hardcode private keys
const wallet = Keypair.fromSecretKey(
  new Uint8Array([1,2,3,4,5...])  // DON'T!
);
✅ DO THIS
// Load from environment
const privateKey = process.env.WALLET_PRIVATE_KEY;
const secretKey = Buffer.from(privateKey, 'base64');
const wallet = Keypair.fromSecretKey(secretKey);

// For production: Use hardware wallet or KMS

Always Verify Signatures

import { verifyOffer, verifyReceipt } from 'x402pp-core';

// ALWAYS verify offers before accepting
try {
  verifyOffer(offer);
  // Signature valid ✓
} catch (error) {
  // Signature invalid - offer tampered!
  throw new Error('Invalid offer');
}

// ALWAYS verify receipts
try {
  verifyReceipt(receipt);
  // Receipt authentic ✓
} catch (error) {
  // Receipt forged!
  throw new Error('Invalid receipt');
}

Use HTTPS

// Production: Enforce HTTPS
app.use((req, res, next) => {
  if (req.header('x-forwarded-proto') !== 'https' 
      && process.env.NODE_ENV === 'production') {
    res.redirect(`https://${req.header('host')}${req.url}`);
  } else {
    next();
  }
});

Rate Limiting

import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,  // 15 minutes
  max: 100  // 100 requests per window
});

app.use('/api/*', limiter);
X (Twitter)