# Best Practices
As a developer or business integrating Flutterwave to receive payments, it's important to follow best practices to maintain reliability, security, and compliance. Here are some key guidelines:
# Payments
## Receiving Customer Payments
* Always [verify the payment](/v4.0/reference/charges_get) before giving value. Confirm the `amount`, `currency`, `transaction reference` and customer details.
* Implement webhooks to handle transaction updates reliably.
* When checking transaction status, make sure you're not hitting rate limits.
## Making Payments
* For USSD and transfer payments, use [webhooks](/v4.0/docs/webhooks) to confirm payment completion.
## Error Handling
* Handle edge cases carefully by giving value or rendering service only on definite API responses.
* Catch all errors and show user-friendly, general messages when necessary.
## Validating webhooks
* Set a [signature](/v4.0/docs/webhooks#verifying-webhook-signatures) from your dashboard under **Settings > Webhooks** to verify all incoming webhooks.
# Security
## API Management
Verify that your app meets the following requirements for managing your API keys:
* Never hardcode API credentials in your codebase.
* Only initiate token-protected API calls from your backend, not from the client (browser or mobile app).
* Store credentials in environment variables or use a secrets manager.
## Authentication
* Enforce strong password policies (e.g., minimum 8 characters, including uppercase, lowercase, numbers, and symbols).
* Use input validation during login.
* Prevent brute-force attacks using rate limits, account lockouts, and two-factor authentication.
* Store database credentials securely, preferably using a secrets manager.
## Cookie Management
* Set all app session cookies with `Secure` and `HttpOnly` attributes.
* On logout, terminate the session on the server and clear client-side session tokens to prevent caching.
* Store session tokens in cookies and transport them only via HTTP cookie headers.
## Session Management
* Set session timeouts on the server.
* Limit session duration to a maximum of 10 hours, after which re-authentication is required.
* Implement idle timeouts.
* Prevent concurrent sessions.
* Use a cryptographically secure random number generator for session tokens.
## Session Termination
* Provide a clearly accessible logout option to terminate user sessions.
* Invalidate sessions on the server during logout.
* Destroy all session tokens on logout to make them unusable.
## Handling Sensitive Information
* Use secure channels (`TLS 1.2` or `TLS 1.3`) for key exchange.
* Limit storage and transmission of sensitive data. Use abstract identifiers where possible.
* Encrypt sensitive data at rest.
## Error Handling and Accountability
* Log all privileged changes and administrative/user activities.
* Log all access to sensitive data.
* On unhandled exceptions, show a generic message to users. Never expose internal details like database errors or server traces.
* Store logs securely and follow global log retention standards.
## Input and Output Forms
* Validate all inputs on the server side, even if already validated on the client.
* Encode all outputs.
* Proper validation and encoding protect your application against stored and reflected cross-site scripting (XSS) in headers, cookies, form fields, query strings, and hidden fields.
* Use character whitelists for user inputs.
* Validate uploaded files thoroughly.
* Use parameterized SQL queries to prevent SQL injection.
## Application Server
* Disable caching for SSL pages and any page with sensitive data. Use `Cache-Control: no-cache` or `no-store `instead of `private`.
* Keep OS, web server, and app server security patches up to date.
* Only support TLS 1.2 or higher.
* Enforce HTTPS across all pages and endpoints.
* Disable `TRACE` and other unnecessary HTTP methods on your web server.
## Vulnerability and Security Assessment
Your application should be protected against common security risks, including:
* Cross-Site Request Forgery (CSRF)
* Reflected and Stored Cross-Site Scripting (XSS)
* SQL Injection
* XML Injection