Security

EUWithdrawalButton.app is deployed on Cloudflare infrastructure with HTTPS, edge routing, Workers runtime isolation, D1 database storage, and Cloudflare DNS.

Merchant app routes and APIs are protected by authenticated sessions. Public app and API routes are marked noindex where appropriate.

Magic-link sign-in tokens are time-limited and stored as hashes. Google OAuth is available when configured for merchant authentication.

Turnstile can be enabled for public submission and checker abuse protection. Public form rate limits and hashed network signals are used where configured.

Transactional email supports provider delivery status logging so merchants can inspect whether customer and merchant messages were queued, sent, or failed.