mobile_trader

Security

Security

Updated 2026-05-19.

Mobile Trader is built to make exploiting a single weakness as expensive as possible. This page documents the security posture of the public-facing service: the API, the free key-issuance flow, the live MCP signal stream, and the website you're reading.

Non-custodial — first principle

We never see, hold, or sign for your funds. The signal feed is free — no payment flow at all. Signal delivery is a one-way push from our backend to your client. No code path on our side ever has signing authority on your wallet.

  • · No seed phrases requested, stored, or transmitted.
  • · No private keys, ever.
  • · No "connect wallet to get started" flow that requests transaction approval.
  • · Trades you execute on signals are signed by you in your own wallet, in your own client.

API keys — hash-only storage

Your mtk_live_* API key is generated server-side from 32 bytes of crypto.getRandomValues, emailed to you exactly once when you claim it, and immediately discarded from server memory. Only the SHA-256 hash of the key is persisted to our database.

Every subsequent authentication request re-hashes the presented key and compares against the stored hash. If our database is leaked tomorrow, the plaintext keys cannot be recovered — they were never stored.

Rate limiting — Durable Object atomic counters

Every public endpoint is rate-limited per-IP per-minute via Cloudflare Durable Objects. Counters are transactional and serialized within each DO instance — no race window under burst traffic, no fail-open under load. Limits in effect today:

  • · /api/claim — 3 req/min/IP (free key issuance)
  • · /v1/waitlist/add — 5 req/min/IP
  • · /api/recent-signals — 60 req/min/IP
  • · /api/stats — 60 req/min/IP
  • · /api/open-positions — 60 req/min/IP
  • · /api/mini-oh/current — 120 req/min/IP
  • · /v1/mcp/recent — 60 req/min/key

Signal ingest — IP allow-listed

The /v1/signals/ingest and related private-write endpoints require both a Bearer token and a source IP on the allow-list (the operator's VPS). Even if the ingest key leaks, an attacker would also have to spoof a Cloudflare-edge-verified source IP — both must hold.

Any auth-bypass attempt fires an immediate Telegram alert to the operator.

CORS — strict origin allow-list

Public /api/* endpoints serve Access-Control-Allow-Origin only for https://mobile-trader.com. Requests from any other origin receive no CORS header, so browsers block the response. No wildcards anywhere on the API surface.

HTTP transport headers

Every response from the website and the API carries the modern browser-enforced security headers:

  • · Strict-Transport-Security — 1 year, includeSubDomains, preload-eligible
  • · Content-Security-Policy — script/style/img/font/connect locked to first-party + the API origin
  • · X-Frame-Options: DENY — site cannot be embedded in any iframe
  • · X-Content-Type-Options: nosniff
  • · Referrer-Policy: strict-origin-when-cross-origin
  • · Permissions-Policy — camera, microphone, geolocation, payment, USB all disabled
  • · Cross-Origin-Opener-Policy: same-origin
  • · Cross-Origin-Resource-Policy: same-origin

Free key issuance — anti-abuse and capacity

Every /api/claim submission must satisfy:

  • · Email well-formed (RFC-5321 syntax check) and not on a disposable-email blocklist
  • · Email not previously issued an active key (one key per email with active keys)
  • · Current active key count below the 50-key cap (otherwise CAPACITY_FULL response)
  • · Terms-acceptance checkbox confirmed (server-side validated)
  • · Rate-limit window not exceeded

Keys auto-expire 30 days after issuance. A daily cron revokes keys with zero MCP calls in the prior 14 days to free slots for new requests. Failed claims and revocations are logged to the audit table; spikes trigger Telegram alerts.

Secrets handling

All Worker secrets — SIGNAL_INGEST_KEY, STATS_UPLOAD_KEY, RESET_ADMIN_KEY, RESEND_API_KEY, SOLANA_RPC URL, TELEGRAM_BOT_TOKEN — are managed via wrangler secret and never appear in source, environment dumps, build artifacts, or response bodies. Rotation cadence: quarterly, or immediately on any suspected compromise.

Audit log

The audit_log table records every key-issuance outcome, every signal-ingest denial, every admin-reset attempt, every email-delivery event, every IP-deny event. Retention: 90 days for ingest/auth events; key-issuance audit entries are kept 12 months for service-operations purposes (see /privacy).

IP-leak protection (build-time)

The site source is scanned at every build by an explicit banned-term gate. Internal bot-logic names, gate identifiers, scoring shorthands, and trigger names are statically blocked from ever shipping to the public bundle. The gate runs twice — once on source files, once on the built distribution — and any hit hard-fails the build. The same banned-term list enforces the public live-feed pump on the VPS side.

No analytics, no tracking, no third-party scripts

The site loads zero third-party JavaScript. No Google Analytics, no Mixpanel, no Hotjar, no Segment, no ad networks. The CSP connect-src directive explicitly disallows fetches to anything other than our own API origin. The only outbound network call the browser makes from this page is to api.mobile-trader.com for live data.

Reporting a vulnerability

Found something? Reach out via the contacts in the footer or DM @mobile_Trader_ on X. We respond within 24 hours for credible reports. We don't run a paid bounty programme today, but credit (and discretionary appreciation) goes to anyone who finds something real.

What this page is not

It is not a SOC 2 certification, a penetration-test report, or a guarantee. Memecoin trading carries total-loss risk no security posture can offset, and any cloud service can be compromised by a sufficiently determined attacker. This page describes the engineering controls in place — not a promise that they are unbreakable.