From 0dc187ab5ff8529d567e89a3ba6cef19dd3ba458 Mon Sep 17 00:00:00 2001
From: yasnazariel <82168644+yasnazariel@users.noreply.github.com>
Date: Sat, 2 May 2026 21:23:23 +0330
Subject: [PATCH] docs(x402): add security note for iframe messaging and fix
 code block formatting  - add note about validating postMessage origin for
 security - replace invalid "bash Terminal" code blocks with standard "bash"

This update improves the x402 documentation by adding a security note
regarding postMessage usage with third-party iframes.

Also standardizes code block formatting to ensure compatibility
with MDX linting and rendering.
---
 docs/ai-agents/payments/accepting-payments.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/ai-agents/payments/accepting-payments.mdx b/docs/ai-agents/payments/accepting-payments.mdx
index 8dcea8224..98db84c53 100644
--- a/docs/ai-agents/payments/accepting-payments.mdx
+++ b/docs/ai-agents/payments/accepting-payments.mdx
@@ -90,6 +90,10 @@ app.listen(3000);
 
 The middleware returns `402` to unpaid callers. The CDP facilitator handles verification and onchain settlement.
 
+<Note>
+When using postMessage or embedding third-party iframes, always validate the message origin to prevent potential security vulnerabilities.
+</Note>
+
 [x402 seller quickstart →](https://docs.cdp.coinbase.com/x402/docs/client-server-model)
 
 ## Configuring facilitators