Report suspected vulnerabilities privately to security@makepay.io.

• Do not place MakePay keys in Ghost themes or Code Injection.
• Keep product prices in the relay catalog.
• Verify MakePay webhooks with X-MakePay-Signature.
• Use Ghost Admin API keys only from trusted server-side automation.