Report suspected vulnerabilities privately to security@makepay.io.

• Store MakePay API credentials in Salesforce Named Credentials and External Credentials.
• Use custom credential headers for X-MakeCrypto-Key-Id and X-MakeCrypto-Key-Secret.
• Store webhook secrets in protected package configuration or an equivalent secure org-specific secret process.
• Never commit Salesforce session IDs, MakePay API keys, webhook secrets, scratch org auth files, or production org URLs.

The package verifies X-MakePay-Signature using HMAC-SHA256 over timestamp.rawBody and rejects events outside the configured timestamp tolerance.