# Recommendations

paymail lives on the public web. As such, it is recommended that standard defensive mechanisms are deployed. These include, but are not limited to:

* maintain access logs
* prevent information leakage, including through error messages
* do not keep sensitive information on internet-connected servers
* place limits on everything, even if they are high
  * rate limits
  * maximum message size limits
  * bad request limits (leading to a ban)
    * malformed requests
    * suspicious requests
* secure the host operating system and environment
* operate under the principle of least privilege
* do not trust any input to any API endpoint
  * assume all API calls are hostile until proven otherwise
  * sanitize *everything*
* keep software/library/dependency versions up to date

There are additional concerns that are specific to the paymail service:

* consider the meanings of request bodies
  * whilst it might be normal for an online retail store to receive a high volume of payment destination requests and pay to email posts, consider the amounts being paid. a valid transaction might not count towards some sort of ban limit, but maybe it should if the service receives thousands of dust transactions a second
  * infinite-loop payment destination requests might be valid but can lead to resource exhaustion, both CPU (during key derivation) and address space (individual Type 2 HD Wallet derivation paths, for example, are not infinite)
  * consider if the request is really probing for leaked information, rather than performing its intended function
    * see the [401 Unauthorised](https://web.archive.org/web/20240412220748/http://bsvalias.org/05-pay-to-email.html#401-unauthorized) response section of the [Pay-to-Email specification](https://web.archive.org/web/20240412220748/http://bsvalias.org/05-pay-to-email.html) for an example
* consider risks to funds
  * use `xpub` or nChain public key derivation for payment destination discovery. do not keep wallet seeds or private keys in paymail services, as these are a gold mine waiting to be stolen by a malicious adversary