Security architecture

Design notes for a trustworthy broker experience (not legal advice).

• Key custody: Broker master API secret only on server filesystem outside web root; per-user trading keys generated with minimal permissions.
• Transport: Enforce HTTPS; HSTS at edge; cookies HttpOnly + Secure.
• Application: Prepared statements (PDO), CSRF tokens on mutating forms (add token middleware next).
• Compliance: Geo rules, sanctions screening, and disclosures depend on your licences — wire those before going live.