# Security To secure your 2026 financial-grade infrastructure, you need a multi-layered defense stack. Since you are handling sensitive KYB data and managing private keys for Solana, these plugins ensure that data is encrypted at rest and protected during transit. ### 1. Backend Security: The "AdonisJS Fortress" Your backend needs to be hardened against the 2026 threat landscape, specifically focusing on input validation and API shielding. | **Dependency** | **Purpose** | **Implementation Task** | | ----------------------- | ----------------------- | -------------------------------------------------------------- | | `@adonisjs/shield` | Web Security Middleware | Enable CSP (Content Security Policy) and HSTS. | | `@adonisjs/cors` | API Protection | Restrict `origin` to your specific Vue/Astro domain only. | | `@adonisjs/session` | Context Isolation | Required peer dependency for Shield to handle CSRF tokens. | | `zod` or `vinejs` | Schema Enforcement | Strictly validate all KYB payloads before they hit your DB. | | `rate-limiter-flexible` | Anti-DoS / Brute Force | Protect your `/verify` and `/mint` endpoints from bot spam. | | `helmet` | Header Hardening | Hides your server technology stack from footprinting scanners. | *** ### 2. Frontend Security: The "Vue Trusted Client" In the frontend, security is about visibility and storage integrity. You must never store raw DIDs or VCs in `localStorage`. | **Dependency** | **Purpose** | **Implementation Task** | | ---------------------------- | ------------------- | ------------------------------------------------------------------------- | | `@credo-ts/askar` | Encrypted Storage | Critical. Encrypts your DIDs and VCs in the browser's IndexedDB. | | `@solana/wallet-adapter-vue` | Secure Signing | Bridges your Vue app to hardware-backed Solana wallets (Phantom/Ledger). | | `dompurify` | XSS Prevention | Sanitizes any data retrieved from external banks before rendering in Vue. | | `jose` | JWT/JWS Logic | Handles secure signing of OIDC/OAuth tokens for your bank analysts. | | `argon2-browser` | Client-Side Hashing | Used for hashing master passwords for your Credo Askar storage locally. | *** ### 3. The "Silent Solana" Integration (Invisible Security) To achieve the "Invisible Wallet" experience we discussed, you need a specialized provider that handles the security of the keys without the user ever seeing them. * `@privy-io/server-sdk` or `@dynamic-labs/sdk-vue`: These handle the Embedded Wallet logic. They allow a bank analyst to login via Azure AD (SSO) and automatically derive a Solana key in a non-custodial way. * `@solana/web3.js` (v2.0): Ensure you are on the latest version to utilize the 2026 speed and security patches for transaction simulation. *** ### 4. Pro-Tip: The "2026 Security Audit" Checklist Before you go live, ensure your AdonisJS Shield is configured to block any requests that don't match your Content Security Policy (CSP). TypeScript ``` // config/shield.ts export const csp = defineConfig({ enabled: true, directives: { defaultSrc: ["'self'"], // Only allow the wallet to talk to your Hub and the Solana RPC connectSrc: ["'self'", "https://api.mainnet-beta.solana.com", "https://api.hub.com"], // Prevent the frontend from being framed (Anti-Clickjacking) frameAncestors: ["'none'"], }, }) ``` #### Why this stack? Using Credo Askar on the FE ensures that even if a malicious browser extension tries to scrap the page, your users' vLEI Credentials are encrypted with a key that is never stored in plain text. Would you like me to show you the specific `.env` security variables you need to set up in your AdonisJS backend to support this gasless, invisible Solana flow?