Please report suspected vulnerabilities privately through GitHub security advisories for this repository.

Do not open public issues for credential exposure, webhook verification bypass, or request replay concerns.

• Store MakePay key secrets in Strapi server-side environment variables.
• Protect payment-link creation routes with Strapi policies or API tokens before exposing them publicly.
• Verify signed webhooks before changing order, invoice, subscription, or entitlement state.
• Persist processed event IDs to keep webhook handlers idempotent.