This is a development/educational project demonstrating a decentralized exchange (DEX) implementation. It is NOT production-ready.

• Default API keys (alice-test-api-key-123, bob-test-api-key-456) are for demo/testing only
• Database passwords (postgres:postgres) are default development values
• Bitcoin RPC credentials are for regtest/local development

1. Change all default credentials
2. Generate secure API keys:

   node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

3. Use environment-specific secrets management (e.g., AWS Secrets Manager, HashiCorp Vault)
4. Enable HTTPS/TLS for all production endpoints
5. Implement rate limiting and DDoS protection
6. Add JWT authentication (currently using API Key only)
7. Audit smart contracts and on-chain settlement logic
8. Set up monitoring and alerting
9. Review and update all security configurations

• No JWT authentication (API Key only)
• Wallet private keys encrypted with environment variable (not HSM)
• No 2FA implementation
• Mock Bitcoin RPC for testing (not real on-chain by default)
• No rate limiting on API endpoints
• Seed data includes hardcoded test users

If you discover a security vulnerability, please email: [your-email@example.com]

Do NOT open a public GitHub issue for security vulnerabilities.