• Hashing: All passwords stored using Django's make_password() with PBKDF2 algorithm
• Validation: Django password validators enforce strong passwords
• Models: Users and Credentials models have set_password() and check_password() methods
• Never stored in plain text

• Hashing: PINs stored as hashed strings using Django's password hasher
• Verification: check_pin() method validates without exposing raw PIN
• API Protection: PIN verification requires JWT authentication

• Access Token: 1-hour lifetime
• Refresh Token: 7-day lifetime with rotation
• Algorithm: HS256 with SECRET_KEY signing
• Header: Bearer token in Authorization header

• Authentication Required: All endpoints require JWT by default
• CORS: Configured for React frontend only
• HTTPS: SSL redirect enabled in production
• CSRF Protection: Enabled for state-changing operations

• Serializers: Passwords/PINs marked as write_only=True
• Never returned in API responses
• Validation on input

• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• X-XSS-Protection: 1; mode=block
• Strict-Transport-Security (HSTS) in production

POST /api/auth/register/
{
  "email": "user@example.com",
  "password": "SecurePass123!",
  "f_name": "John",
  "l_name": "Doe",
  "phone": "1234567890"
}

POST /api/auth/login/
{
  "identifier": "....",
  "password": "SecurePass123!"
}

Authorization: Bearer <access_token>

POST /api/wallet/verify-pin/
Authorization: Bearer <access_token>
{
  "wallet_id": "W123",
  "pin": "1234"
}

Run: python manage.py makemigrations && python manage.py migrate

Run: pip install -r requirements.txt