Security fixes are prepared for the latest tagged release and the main branch.

Report suspected vulnerabilities to info@makepay.io with enough detail to reproduce the issue. Please avoid public disclosure until the MakePay team has confirmed impact and prepared a fix.

• Keep MakePay credentials server-side.
• Persist Saleor installation tokens in encrypted durable storage before production use.
• Verify MakePay webhooks before acting on payment state.
• Treat Saleor webhook payloads as untrusted until signature verification is wired with the chosen app token store.
• Never expose MakePay tokens to storefront JavaScript.