Security policy

Current controls

• All browser writes go through the shared API client so credentials and CSRF headers stay consistent.
• The backend validates route params, query strings, and request bodies with Fastify schemas before handlers run.
• Database access stays inside Prisma services; raw SQL is blocked by the backend security script.
• Admin and private account routes re-check authorization on the API, not only in the frontend.
• Checkout redirects are restricted to configured frontend origins before Stripe sessions are created.

Reporting a problem

If you find a security issue, report it privately to the store owner with the affected URL, steps to reproduce, and impact. Please do not test with real payment cards, spam order emails, or access another customer's data.