Security

We have built lnbay with security as a core principle, not an afterthought. Here is what we do to keep your account and data safe:

• Passwords hashed with bcrypt — your password is never stored in plain text. We use bcrypt with a cost factor of 12, meaning even if our database were compromised, passwords could not be recovered quickly.
• HttpOnly session cookies — your authentication token is stored in a cookie that JavaScript cannot access, protecting it against cross-site scripting (XSS) attacks.
• SameSite cookie policy — our session cookie is set with SameSite=Lax, which prevents it from being sent with cross-site requests and mitigates cross-site request forgery (CSRF) attacks.
• JWT-based authentication — sessions are managed via signed JSON Web Tokens with a 7-day expiry. Tokens are verified on every authenticated request.
• Server-side input validation — all data submitted to the API is validated and sanitised on the server before being stored or processed.
• No plain-text secrets — sensitive configuration such as JWT signing keys are stored as environment variables, never hardcoded in source code.
• No fund custody — lnbay briefly holds funds during payment processing before immediately forwarding them to the seller's Lightning address. We do not maintain wallets on behalf of users.

Payments on lnbay are processed via the Bitcoin Lightning Network through our payment processor, OpenNode. Lightning payments have several inherent security properties:

• Cryptographically secured — Lightning payments use hash time-locked contracts (HTLCs), meaning funds can only be claimed by the intended recipient with the correct payment preimage.
• No card data — lnbay never handles credit card numbers, bank account details, or any traditional payment credentials. There is nothing to steal in a data breach beyond transaction amounts.
• Final and irreversible — once a Lightning payment confirms, it cannot be reversed by any third party. This eliminates chargeback fraud that is common on card-based platforms.
• Invoice-based — every payment requires a specific invoice generated for that transaction. You cannot be charged twice or for an amount other than what you agreed to.

Platform security can only go so far — here is what you can do to stay safe:

• Use a strong, unique password — do not reuse your lnbay password on other sites. Use a password manager to generate and store a strong password.
• Keep your email account secure — your email is used for account recovery. If someone gains access to your email, they can potentially access your lnbay account too.
• Keep your Lightning wallet secure — use a reputable Lightning wallet, keep your seed phrase offline and private, and never share it with anyone. lnbay staff will never ask for your seed phrase or private keys.
• Check seller ratings before buying — review a seller's rating and past reviews before placing an order. New sellers with no history carry more risk.
• Use the platform messaging system — communicate with sellers through lnbay Messages rather than moving to external platforms where you have less recourse.
• Log out on shared devices — if you use lnbay on a shared or public computer, always log out when you are done.
• Delete your account when not in use — if you no longer need your account, delete it from Settings. Your personal data will be removed and your username permanently reserved.

Common scams to watch out for:

• Fake lnbay emails — scammers may send emails impersonating lnbay asking you to click a link and enter your credentials. Always check that the sender's email domain matches lnbay.shop exactly.
• Off-platform payment requests — sellers who ask you to pay outside lnbay are violating our policies and you will have no recourse if they don't deliver.
• Too-good-to-be-true listings — if a listing price seems implausibly low, treat it with caution. Check the seller's rating and message them with questions before buying.
• Fake buyer scams — as a seller, be aware of buyers who claim to have paid but provide fake screenshots. Always confirm payment in your My Sales dashboard and your Lightning wallet before shipping.

We take security vulnerabilities seriously. If you discover a security issue in lnbay — such as a way to access other users' data, bypass authentication, or manipulate payments — please report it to us privately before disclosing it publicly.

To report a vulnerability, email us at contact@lnbay.shop with the subject line Security vulnerability report. Include a clear description of the issue and steps to reproduce it.

We will acknowledge your report within 2 business days and work to resolve confirmed vulnerabilities promptly. We ask that you give us reasonable time to address the issue before any public disclosure.