Please report suspected vulnerabilities privately through GitHub security advisories for this repository.

Do not open public issues for credential exposure, Ecwid token handling, payment status updates, or webhook verification bypasses.

• Ecwid payment requests are encrypted and must be decrypted server-side.
• Ecwid access tokens from payment requests must not be sent to browsers.
• Update Ecwid payment status before redirecting buyers to the Ecwid return URL.
• Verify MakePay webhook signatures before reconciling payments.