# Nostr Auth Security Checklist

- Replay window: enforce ±120s `created_at` tolerance; reject reused or stale events.
- HTTPS only: require TLS termination before the API; never accept plain HTTP in production.
- Canonical URL: sign/verify the exact scheme + host + path + query; strip fragments.
- Payload hashing: hash raw bytes; reject if the `payload` tag hash differs from the received body.
- Rate limiting: apply IP/pubkey-based throttling to mitigate brute force or flood attempts.
- Logging hygiene: avoid persisting raw payloads/signatures; redact PII and secrets from logs.
- Dependency pinning: lock `nostr-tools` and crypto dependencies; track CVEs and update promptly.
- Test coverage: maintain ≥90% coverage for the Nostr auth service/guard and add E2E cases for tamper/replay.