Security, CORS & Cookies

• Enforce HTTPS and modern TLS.

• Restrict your wallet APIs to TS IP ranges if possible.

• Validate hash, token, and currency on every call.

• Use SameSite=None; Secure on cookies that must be sent in a third‑party iFrame context.

• Consider CSRF not applicable to server‑to‑server calls, but do protect your /authenticate endpoint.