Security
Security is foundational to KnowMint. As a marketplace handling cryptocurrency payments, we implement defense-in-depth across every layer.
Non-Custodial Architecture
KnowMint never holds your private keys or funds. All payments are direct peer-to-peer transfers from buyer wallets to seller wallets on Solana. We only verify and record transaction hashes.
API Key Security
API keys are hashed with SHA-256 before storage. Plaintext keys are never stored or logged. Keys are shown once at creation and cannot be retrieved afterward.
Security Headers
All responses include HSTS (max-age=63072000, includeSubDomains, preload), X-Frame-Options: DENY, Content-Security-Policy (no unsafe-eval), Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy restricting camera, microphone, and geolocation.
Wallet Authentication (SIWS)
Wallet connections use Sign-In with Solana (SIWS). Challenges are generated server-side, consumed atomically via SECURITY DEFINER RPC, and verified using Ed25519 signature validation.
Rate Limiting
Multi-layer rate limiting protects against abuse: 120 req/min per IP (pre-auth), 60 req/min per API key (authenticated), 20 req/min for auth endpoints. Exceeded limits return HTTP 429 with X-RateLimit-Remaining and X-RateLimit-Reset headers.
Database Security
All database tables are protected by Row-Level Security (RLS). Sensitive operations use SECURITY DEFINER functions with restricted search_path (pg_catalog, public). Service-role functions are explicitly revoked from anon and authenticated roles.
Audit History
The codebase has undergone 13+ rounds of automated security review (Codex), plus manual Black/White Hacker dual-agent penetration testing. Each round identified and resolved vulnerabilities until zero issues remained.
Responsible Disclosure
If you discover a security vulnerability, please report it via GitHub Issues or email us at contact@knowmint.shop. We take all reports seriously and will respond promptly.