Security fixes are prepared for the latest tagged release and the main branch.

Report suspected vulnerabilities to info@makepay.io with enough detail to reproduce the issue. Please avoid public disclosure until the MakePay team has confirmed impact and prepared a fix.

• Store MakePay API credentials only in nopCommerce server-side settings.
• Use HTTPS for checkout creation and webhook delivery.
• Verify webhook signatures before marking orders as paid.
• Use fixed-time signature comparison.
• Do not expose API tokens in views, logs, or client-side code.