Security fixes are prepared for the latest tagged release and the main branch.

Report suspected vulnerabilities to info@makepay.io with enough detail to reproduce the issue. Please avoid public disclosure until the MakePay team has confirmed impact and prepared a fix.

• Store MakePay API credentials only in Sylius server-side payment method configuration.
• Use HTTPS for checkout creation and webhook delivery.
• Verify MakePay webhook signatures before changing payment state.
• Keep payment state transitions idempotent.
• Do not expose API tokens in Twig templates, logs, or storefront JavaScript.