Version 1.1 | Last updated: September 24, 2025

WebChain prioritizes security for both on-chain and off-chain operations. This document outlines best practices, recommended configurations, and safety measures for developers, validators, and end-users interacting with WebChain.

• All API requests that modify state must require proper authentication.
• Use JWT or OAuth2 tokens for user sessions.
• Validators must have role-based access to restricted endpoints.
• Never expose private keys in client-side code.

• All communication with WebChain endpoints must use HTTPS/TLS 1.2+.
• Sensitive data (private keys, OTPs, user information) should be encrypted at rest using AES-256 or equivalent.
• Never log sensitive information.

• All off-chain to on-chain transfers and withdrawals require One-Time Password (OTP) confirmation.
• OTPs must expire within a short window (e.g., 5 minutes).
• Repeated failed OTP attempts should trigger temporary account lockout.

• WebChain token logic is handled within the validator layer; no external smart contracts are needed.
• Validators should store private keys securely (hardware wallets recommended).
• Rotate API credentials periodically.
• Monitor validator activity logs for anomalies.
• Restrict validator endpoints by IP whitelisting when possible.

• Log only necessary operational events; avoid sensitive data.
• Monitor unusual activity: high-value transfers, repeated failed OTPs, unexpected API calls.
• Set up alerting for suspicious behavior.

• Have a defined response plan for security breaches.
• Immediately revoke compromised API keys.
• Notify affected users and perform forensic analysis.
• Update validator configurations if needed to mitigate risks.

• Keep WebChain nodes and dependencies updated.
• Perform regular penetration testing on API endpoints.
• Educate users on phishing attacks and account safety.
• Use rate limiting to prevent brute-force attacks.

Maintainers:

• WebChain Security Team
• Contact: security@e-talk.xyz