| Version | Supported |
|---|---|
| 1.x | ✅ Fully supported |
If you discover a security vulnerability in the Stampcoin Platform, please report it privately rather than opening a public issue.
- Email: Open a private security advisory at GitHub Security Advisories
- Include in your report:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fix (optional)
- Acknowledgement: within 48 hours
- Initial assessment: within 7 days
- Fix and disclosure: within 30 days (depending on complexity)
When running the Stampcoin Platform in production:
NODE_ENV=production
SYNC_TOKEN=<strong-random-secret>
PORT=10000
- Always set
SYNC_TOKENto a strong random secret in production - Never commit secrets or tokens to the repository
- Set
NODE_ENV=productionto enforce authentication on protected endpoints
Protected endpoints require a Bearer token in the Authorization header:
Authorization: Bearer <SYNC_TOKEN>
The server restricts CORS origins in production. Set ALLOWED_ORIGINS to a comma-separated list of allowed origins.
- All wallet mutation endpoints are protected by
requireTokenmiddleware whenNODE_ENV=production - The
blockchain/mintendpoint requires authentication in all environments whenSYNC_TOKENis set - In-memory data stores (auctions, NFT stamps, users) are for demonstration — use a database in production