2.6.7 Security & Compliance

1. OAuth2 Best Practices

• Use state parameters to prevent CSRF attacks.

• Securely store client secrets, rotate if compromised.

2. API Keys & Secrets

• Keep external provider API keys in AWS Secrets Manager or environment variables (never commit to Git).

• Use IP whitelisting or request signing where possible.

3. Rate Limiting

• Rate-limit calls to external APIs to avoid hitting provider usage caps.

• Implement fallback providers if the primary goes down or is rate-limited.

4. Privacy

• GDPR compliance if storing personal data from social logins.

• Disclosure of how wallet addresses and transaction data are used or shared with third-party providers.