Security

Security model for the MVP.

Server-side roles

Admin, manager, and cashier access is checked in Nuxt server API routes before data is returned.

HttpOnly sessions

Login sessions are stored in HttpOnly cookies and signed with a server-only secret.

Webhook secret

SMS forwarding requires a shop ID and webhook secret. The secret is shown only to admin/manager roles.

No MoMo PINs

The product never needs the owner’s MoMo PIN, SIM credentials, or wallet password.

Pre-launch checklist

Rotate development Neon and app secrets before production use.
Review Privacy Policy and Terms with local legal counsel.
Add rate limiting and request logging around webhook endpoints.
Prepare admin workflow to rotate shop webhook secrets.