Security Best Practices

Never expose your secret key in client-side code. Always keep it in server environment variables.

Security Checklist

✅ Secret key stored in environment variables — never in code
✅ Webhook signature verification implemented on all webhook endpoints
✅ HTTPS enforced for all API calls and webhook URLs
✅ Input validation on server side before processing
✅ CSRF protection on payment forms
✅ Webhook endpoint returns 200 only after successful processing
✅ Never log full webhook payloads in production

Do vs Don't

// ❌ DANGEROUS — secret key exposed in frontend
RazCrypto.init({
    public_key_id: "rz_pub_...",
    secret_key: "rz_sec_..."  // Anyone can steal this!
});

// ❌ Skip signature verification
app.post('/webhook', (req, res) => {
    const data = req.body;  // Trusting without verification!
    processPayment(data);
});

// ✅ CORRECT — only public key in frontend
RazCrypto.init({
    public_key_id: "rz_pub_..."
    // Secret key stays on server!
});

// ✅ Always verify signature
app.post('/webhook', express.raw({type:'application/json'}), (req, res) => {
    const sig      = req.headers['x-razcrypto-signature'];
    const expected = crypto.createHmac('sha256', process.env.RAZ_WEBHOOK_SECRET)
                           .update(req.body).digest('hex');
    if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) {
        return res.status(401).end();
    }
    // Safe to process
});

« Handler Examples

Rate Limiting »