Security

We never ask for private keys. Swaps are routed to ff.io; settlement happens on-chain through that provider.

All exchange API calls and HMAC signing run on the server. API secrets are not exposed to the browser.

Rate limiting (Upstash Redis in production), CAPTCHA on swap creation, and input validation on addresses and amounts.

Content Security Policy, X-Frame-Options, HSTS, and strict referrer policy reduce XSS, clickjacking, and mixed-content risk.

Logs are minimized and redact sensitive fields (addresses, tokens, secrets).

If you discover a security concern, contact us through the support page with details so we can investigate.