We take security seriously. If you discover a security vulnerability in the x402 Nano API, please report it responsibly.
Please DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues by:
- Opening a private security advisory on GitHub
- Or emailing: security@x402nano.com (if available)
- Or contacting through GitHub discussions marked as private
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (critical issues prioritized)
- We request 90 days to address the issue before public disclosure
- We will credit reporters (unless they prefer to remain anonymous)
- We will provide updates on fix progress
Protect Your API Keys:
- Never commit API keys to version control
- Use environment variables for sensitive data
- Rotate API keys regularly
- Limit API key permissions where possible
Secure Your Wallets:
- Use strong, unique passwords (min 16 characters)
- Store encrypted wallet strings securely
- Never share wallet credentials
- Keep backups in secure, offline locations
Application Security:
- Validate all user input
- Use HTTPS only
- Implement rate limiting
- Log and monitor API usage
- Handle errors gracefully without exposing sensitive data
Environment Security:
- Keep dependencies updated
- Use secure coding practices
- Implement proper error handling
- Don't log sensitive information
Infrastructure:
- Use secure servers and networks
- Enable firewalls and security groups
- Keep systems patched and updated
- Use TLS 1.3 for all connections
Access Control:
- Implement least privilege access
- Use separate API keys per application/environment
- Revoke unused API keys
- Monitor for suspicious activity
Data Handling:
- Never store private keys or seeds unencrypted
- Minimize data retention
- Encrypt sensitive data at rest
- Use secure key management systems
- Wallets are encrypted using AES-256
- Encryption strength depends on password complexity
- Weak passwords may be vulnerable to brute force
- Default: 100 requests per minute
- Helps prevent abuse and DDoS
- May be adjusted based on usage patterns
- IP addresses logged for security and rate limiting
- Logs retained for limited time
- Used for abuse detection and prevention
✅ Implemented:
- HTTPS/TLS encryption
- AES-256 wallet encryption
- Rate limiting per IP
- API key authentication
- Input validation and sanitization
- Secure password handling
🔄 Planned:
- Two-factor authentication (2FA)
- Webhook signature verification
- Advanced rate limiting by API key
- Security headers (CSP, HSTS, etc.)
We strive to follow industry best practices:
- OWASP Top 10 awareness
- Secure development lifecycle
- Regular security reviews
- Dependency vulnerability scanning
This security policy may be updated periodically. Check back regularly for the latest information.
Last Updated: January 4, 2026
Thank you for helping keep x402 Nano API and our users secure!