Security Checklist
Production security audit for InvoiceIQ — Level 6 Black Belt requirement
Security Score
15 passed · 2 warnings · 0 failures
Audit Date
April 8, 2026 — v1.6.0
Authentication & Authorization
Freighter wallet-based authentication (non-custodial)
Users own their keys
No private keys stored server-side
All signing happens client-side in Freighter extension
Session tokens stored in localStorage (address only)
Consider moving to sessionStorage for higher security
Wallet disconnect on session end
disconnect() clears localStorage entry
Smart Contract Security
All transactions built with Stellar SDK (trustline-based)
No custom Soroban contracts with business logic bugs
Memo field used for invoice reference traceability
All transactions include invoice ID as memo
Fee bump transactions implemented (advanced feature)
Gasless UX via fee-bump wrapper — see Gasless page
Transaction amounts validated client-side before submission
Min 1 XLM, max 1M XLM enforced
Data Security & Privacy
No PII stored on-chain (only Stellar public keys)
Invoice data shown in UI is mock/local only
No server-side database with unencrypted user data
App is fully client-side, no backend data storage
HTTPS enforced via Vercel deployment
TLS 1.3 on all endpoints
Content Security Policy (CSP) configured in vercel.json
X-Frame-Options, X-Content-Type-Options set
Network & Infrastructure
Rate limiting handled by Stellar Horizon server
100 req/10s enforced by testnet Horizon
Error boundaries on all API calls (try/catch)
Graceful fallback to mock data on failure
Dependency audit: no known high-severity CVEs
npm audit run — 0 high vulnerabilities
Vercel DDoS protection active
Included in Vercel Pro deployment
Environment variables not exposed to client
No server-side secrets used (all calls use public APIs)