On-Chains Online

Security

How On-Chains Online is built, how to report a vulnerability, and how to tell a real message from us apart from a phishing attempt.

Last updated

Anti-phishing: how to know a message is really from us

  • Our only canonical URL is https://on-chains.online. Anything that looks similar but is not character-for-character identical is a fake.
  • Mail from us always comes from a @heifereum.com address.
  • We will never ask for a seed phrase, private key, recovery phrase, or password. By email, chat, voice, or any other channel. Ever.
  • We will never DM you first to “verify” or “migrate” a wallet.
  • We will never run an airdrop, giveaway, presale, or token sale.

Architecture

  • Non-custodial. All transactions are signed in the user's own wallet extension. We do not hold keys, broadcast on a user's behalf, or escrow funds.
  • Read-mostly server. The dashboard is a Next.js static / edge app. There is no traditional user database holding credentials.
  • RPC isolation. Blockchain reads go through configured RPC providers (Helius, Alchemy, Infura). API keys live server-side; only public-RPC URLs are shipped to the client.
  • No third-party trackers. We do not embed advertising scripts or behavioural-tracking pixels.
  • HTTPS-only. All traffic uses TLS with HSTS, and a strict Referrer-Policy and X-Content-Type-Options are set in the HTTP response.

Responsible disclosure

If you believe you have found a security issue in the dashboard or its dependencies, please email security@heifereum.com before disclosing publicly. Include:

  • A clear description of the issue and its impact.
  • Reproduction steps, with a proof of concept where safe.
  • Your preferred contact and any credit attribution.

We aim to acknowledge reports within 72 hours and to ship a fix (or a clear timeline) within 30 days for high-severity issues. Please do not open public GitHub issues for security problems.

Scope

In scope:

  • The On-Chains Online frontend at https://on-chains.online.
  • Server-side routes under /api on that origin.

Out of scope:

  • Vulnerabilities in third-party wallets, RPC providers, explorers, or on-chain contracts not authored by us.
  • Social-engineering attacks against individual users or operators.
  • Volumetric denial-of-service tests — please do not run them against production.

Hygiene checklist for operators

  • Use a hardware wallet for any signer with mint, burn, or freeze authority.
  • Always read the network and contract address shown in your wallet's native signing dialog — not just the one displayed in the dashboard.
  • Bookmark https://on-chains.online and reach the dashboard from the bookmark, not from search results or social-media links.
  • Disconnect the wallet when you are finished, especially on shared devices.