Security

Current application scope

Kaspushop is an application built with Next.js, NextAuth, Base Account / wallet SIWE authentication and server-side proxy routes to our backend infrastructure (hosted with OVHcloud, in Canada).

Authentication controls

• Base Account and wallet credentials providers verify signed SIWE messages.
• Domain, URI, nonce, issued-at window and Base mainnet chain are validated.
• Nonces are single-use and use Upstash Redis in production.
• Signature verification is performed server-side with Viem.

Session and backend access

• NextAuth uses JWT sessions with configured session and CSRF cookies.
• Commerce API routes require an active session before relaying backend calls.
• Backend JWTs are signed server-side and expire after 15 minutes.
• Backend bearer tokens are not exposed to browser code.

Runtime isolation

The production Next.js service is bound to the local interface and attached to a Docker bridge network. The production container runs the standalone Next.js server as a non-root user.

Secrets handling

• Runtime secrets are loaded from the deployment environment.
• No secret value is defined in published source files.
• Shopify token storage is backend-owned.

Data deletion and incidents

The contact point for any deletion request or incident report is contact@kaspushop.fr.

Deletion requests are handled within the applicable legal timeframes; in the event of a personal data breach, KASB SYSTEMS notifies the CNIL within 72 hours and informs the data subjects where required by regulation.