How OwnPay Protects Your Payments

Security practices and responsible disclosure policy for self-hosted payment infrastructure.

Reporting Vulnerabilities

If you discover a security vulnerability in OwnPay, please do not disclose it publicly. Report it responsibly by sending an email to [email protected].

We will acknowledge your report within 48 hours and work with you to analyze and patch the issue before public disclosure. Security advisories will be published on our GitHub Security board once fixed.

Core Security Practices

OwnPay is designed from the ground up to prevent OWASP Top 10 vulnerability vectors:

  • SQL Injection Prevention: All database access uses parameterized prepared PDO queries. No string concatenation in SQL.
  • CSRF Protection: All mutating requests carry secure, cryptographically random session tokens validated server-side.
  • Rate Limiting: Database-backed rate limits protect authentication and submission endpoints from brute-force attacks.
  • Argon2id Passwords: Credentials are hashed using PHP's native PASSWORD_ARGON2ID algorithm with high memory constraints.
  • Session Security: Cookies use SameSite=Strict, Secure, and HttpOnly flags to block cross-site scripting vectors.
  • HTTP Security Headers: Strict CSP with per-request nonce, HSTS, X-Frame-Options DENY, and referrer policy on all responses.
  • Input Sanitization: All user input is sanitized at point of entry with htmlspecialchars, strip_tags, and filter_var.
  • Path Traversal Protection: All file paths are validated against allowed directories before access.

Dependency Management

OwnPay uses only two Composer packages (vlucas/phpdotenv and phpmailer/phpmailer) to minimize supply chain risk. No JavaScript frameworks or external CSS libraries are loaded.