Security Practices
There are several security best practices that you should review before you launch your NFT project
Your NFT project's security
Sometimes it can seem easy to connect the pieces required to mint and sell NFTs on Cardano but you have a responsibility to protect your customers from potential pitfalls.
Reviewing our best practices and staying up to date with the best way to perform secure and scalable NFT drops on Cardano will help ensure your success.
Preventing bots from buying your NFTs
If you have a large enough following or vulnerabilities in your NFT minting system then your NFTs can be purchased by bots.
Typically people will deploy bots in order to obtain as many of the NFTs as they can with hopes that the scarcity that comes from purchasing them all drives up the price on the secondary market.
It's up to you to ensure that your project is using the best method of minting and selling your NFTs based on your tolerance for this potential behavior.
Protecting your NFT reservation implementation
If you're selling your NFTs by using our API to generate unique addresses for each potential customer then there are several ways to prevent malicious behavior.
You can make sure you only reserve an NFT for purchase if the user clicks a certain button on a webpage. If you automatically reserve an NFT for purchase as soon as someone goes to your website then it's easy for people to open up tens or even hundreds of tabs and reserve all of the NFTs available rather quickly.
You can implement a reCAPTCHA (or similar) in order for the prospective buyers to validate they are a human before you create their unique address. Remember, only after the person has correctly solved the reCAPTCHA (or another verification method) should you generate the wallet address for them to use.
You could also implement a login system with email validation. This way you know only people who have a valid email address can reserve an NFT which makes it difficult to scale to reserving many.
Even the options we listed aren't foolproof. It's up to you to stay informed of the best practices in the always-changing Cardano NFT space.
Protecting your pay-in address implementation
If you're selling your NFTs by using our pay-in address implementation to have a single wallet address that everyone uses then there are different ways to prevent malicious behavior.
If you want only a certain group of people to use the address then you should try and ensure it stays as hidden as possible. It's easy for a single person to copy and paste the pay-in wallet address and instructions on social media. That's why it's important for you to explicitly tell your customers not to share the details of the sale.
You could also make sure to only post the address and buying instructions in a closed community like an email newsletter list, a private Discord group, DM'ing specific individuals, accounts on your website, etc.
By limiting the overall exposure of the pay-in address you have a better chance of preventing an individual from minting a majority of your NFTs.
Setting up an external hardware wallet
Your Internal Wallet is a wallet assigned to your account but managed by NMKR Studio. You can use it for minting NFTs or receiving ADA from your sales.
At the same time, we advise that you connect your own wallet external to NMKR Studio and never store large sums of ADA in the Internal Wallet.
You can use the Internal Wallet to facilitate your NFT sales but using an external wallet connected to a hardware device is the most secure option available.
Protect your NMKR Studio API usage
Since NMKR Studio is an API-based solution, it can be accessed from your local computer, a website, a server, etc. Although it's possible, it's not intended for you to make API calls directly to NMKR Studio from your website.
We recommend that if you need to interact with our API based on an action that a user does on your website then you call an API that you own and your server then calls our API to complete the action.
Don't expose your NMKR Studio key on your website or your own API
Don't expose values like NFT Project ids, NFT ids, etc anywhere to the public
More important security practices
Show you policy ID to your customers so they don't get scammed
Don't commit your NMKR Studio API Keys to a repository
Don't publish your keys to any of your policies anywhere online
Don't get tricked by people asking for an NFT they didn't get
Don't let someone get refunded twice by doing it manually
Don't collect personal information if you don't have to