diff --git a/docs/ai-agents/payments/accepting-payments.mdx b/docs/ai-agents/payments/accepting-payments.mdx
index 8dcea8224..98db84c53 100644
--- a/docs/ai-agents/payments/accepting-payments.mdx
+++ b/docs/ai-agents/payments/accepting-payments.mdx
@@ -90,6 +90,10 @@ app.listen(3000);
 
 The middleware returns `402` to unpaid callers. The CDP facilitator handles verification and onchain settlement.
 
+<Note>
+When using postMessage or embedding third-party iframes, always validate the message origin to prevent potential security vulnerabilities.
+</Note>
+
 [x402 seller quickstart →](https://docs.cdp.coinbase.com/x402/docs/client-server-model)
 
 ## Configuring facilitators