Daraja.HTTPClient.Compliance (daraja v0.1.0)

Copy Markdown View Source

Security checklist for custom Daraja.HTTPClient implementations.

The behaviour defines only the request/4 callback shape. When you provide your own adapter, ensure it meets these minimum requirements before using it with live M-PESA credentials:

  • TLS — Verify server certificates against a trusted CA store (or your pinned trust store). Never disable peer verification in production.
  • Credential safety — Do not log request or response bodies, headers such as Authorization, or STK Password fields.
  • Timeouts — Use bounded connect and receive timeouts so hung requests cannot accumulate indefinitely.
  • Redirects — Do not follow redirects to hosts outside Safaricom's documented API domains (sandbox.safaricom.co.ke, api.safaricom.co.ke).

Use checklist/0 in onboarding docs or CI smoke tests for custom clients.

Summary

Functions

checklist()

@spec checklist() :: [String.t()]