Use the latest version of ShopMax Enterprise to ensure you have the most recent security patches.

We take security seriously. If you discover a vulnerability, please do NOT open a public issue.

1. Email security@shopmax.com with a proof of concept.
2. We will acknowledge your report within 24 hours.
3. We will provide a timeline for a fix.

• HTTPS: Forced via Cloudflare/Vercel configuration.
• Headers: Content Security Policy (CSP) is recommended in your production gateway (e.g., Nginx or Vercel config).
• Dependencies: We run npm audit in our CI/CD pipeline.

• Storage: No sensitive PII (Personally Identifiable Information) like credit cards is stored in our database. All payments are offloaded to Stripe (PCI-DSS Level 1 Provider).
• Local Storage: Only non-sensitive user preferences (e.g., "Recently Viewed") are stored in the browser.

1. Do not commit .env files.
2. Rotate API keys every 90 days.
3. Sanitize Inputs: While React escapes content by default, be careful with dangerouslySetInnerHTML.