OutpayDocs
Operations

Operational security

Security controls for the application and its payment workers.

The application implements hashed API keys, timing-safe secret comparison, encrypted merchant webhook secrets, parameterized SQL, wallet-ownership signatures, SSRF checks on merchant-configured webhook URLs, structured-log redaction, and rate limits across public and authenticated surfaces.

The current release also has documented gaps: no configured CORS policy, no rate limiting on admin routes, and no automated blockchain-reorg handling. These are documented limitations, not capabilities to imply exist behind a generic security claim — see system status.

On this page