1. Never Commit Secrets
Code# .gitignore .env .env.local .env.*.local
2. Use Environment Variables
Code// Good — Use environment variables const saligpay = new SaligPay({ clientId: process.env.SALIGPAY_CLIENT_ID, clientSecret: process.env.SALIGPAY_CLIENT_SECRET, }); // Bad — Hardcoded credentials const saligpay = new SaligPay({ clientId: "hardcoded-client-id", clientSecret: "hardcoded-secret", });
3. Validate Webhook Origin
Codeconst WEBHOOK_SECRET = process.env.SALIGPAY_WEBHOOK_SECRET; app.post("/webhooks/saligpay", async (req, res) => { try { const payload = saligpay.webhooks.constructEvent(req.body); if (!payload.externalId || !payload.status) { return res.status(400).send({ error: "Invalid payload" }); } await handlePayment(payload); return res.send({ received: true }); } catch (error) { console.error("Webhook error:", error); return res.status(400).send({ error: "Invalid webhook" }); } });
4. Use Sandbox Environment
Code// Always use sandbox for development const saligpay = new SaligPay({ clientId: process.env.SALIGPAY_CLIENT_ID, clientSecret: process.env.SALIGPAY_CLIENT_SECRET, env: process.env.NODE_ENV === "production" ? "production" : "sandbox", });
5. Implement Rate Limiting
Codeimport rateLimit from "express-rate-limit"; const webhookLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // Limit each IP to 100 requests per windowMs }); app.post("/webhooks/saligpay", webhookLimiter, async (req, res) => { await saligpay.webhooks.listen(req, res, handler); });
6. Secure Webhook Endpoints
Code// Use HTTPS in production const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET; app.post("/webhooks/saligpay", async (req, res) => { const signature = req.headers["x-webhook-signature"]; if (signature !== WEBHOOK_SECRET) { return res.status(401).send({ error: "Unauthorized" }); } await saligpay.webhooks.listen(req, res, handler); });
Last modified on