1. Fail closed
No X-PAYMENT should return 402 and a machine-readable challenge, not paid ledger JSON.
SolSentry #2 · x402 enforcement + browser-agent CORS
Your paid stats endpoint says “payment required”, but still returns the ledger.
This packet is tailored to solsentry/solsentry-app issue #2. A no-payment public readback still shows GET /v1/x402/stats returning 200 OK with ledger JSON while also advertising X-Payment-Enforce: true. The preflight path also omits X-PAYMENT, which blocks browser x402 clients before they can retry with a proof.
2. Browser-ready CORS
OPTIONS should allow X-PAYMENT, expose payment/receipt headers, and vary on origin/request headers.
3. Receipt separation
Accepted paid calls should return data plus X-PAYMENT-RESPONSE; denied calls should leak no paid payload.
Observed no-payment transcript
GET https://api.solsentry.app/v1/x402/stats
Origin: https://solsentry.app
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, Authorization, X-Client-ID
X-Payment-Required: true
X-Price-USDC: 0.001
X-Payment-Network: solana-mainnet
X-Payment-Protocol: x402
X-Payment-Enforce: true
{ "total_queries": 53622, "total_usdc_billed": 53.622, ... }
OPTIONS /v1/x402/stats Access-Control-Request-Headers: X-PAYMENT, Content-Type HTTP/1.1 204 No Content Access-Control-Allow-Headers: Content-Type, Authorization, X-Client-ID
The endpoint can truthfully advertise payment enforcement only after the unpaid path stops returning the protected ledger body and the preflight accepts the payment header used by x402 clients.
Expected contract
- Unauthenticated/no-payment
GET /v1/x402/statsreturns402 Payment Required, not200. - The 402 response includes a valid challenge body/header with amount, asset, network, payTo, resource, expiry, and max timeout.
Access-Control-Allow-HeadersincludesX-PAYMENT,Content-Type, and any casing variant actually documented.Access-Control-Expose-Headersincludes payment challenge/receipt headers such asPayment-Required,X-Payment-Required, andX-Payment-Response.- Accepted paid request verifies/settles before returning ledger JSON; failed verify/settle returns a non-200 error without ledger data.
- Cache control is private/no-store for challenge and receipt responses; CORS uses
Vary: Origin, Access-Control-Request-Headers.
Regression smoke script
# no wallet, no signature, no paid call curl -si https://api.solsentry.app/v1/x402/stats \ -H 'Origin: https://solsentry.app' # expect: 402, payment challenge, no ledger JSON curl -si -X OPTIONS https://api.solsentry.app/v1/x402/stats \ -H 'Origin: https://solsentry.app' \ -H 'Access-Control-Request-Method: GET' \ -H 'Access-Control-Request-Headers: X-PAYMENT, Content-Type' # expect: 204 and Access-Control-Allow-Headers includes X-PAYMENT
Relevant proof
Browser-agent x402 headers
CORS/challenge/receipt header exposure with local HTTP smoke checks. x402 middleware route smoke
OPTIONS, 402 challenge headers, verify/settle stub, and payment response checks. x402 payment response readback
Client-side receipt/header handling across browser and Node demo code. Browser-agent middleware packet
Reusable 402/CORS/facilitator-readback checklist.
CORS/challenge/receipt header exposure with local HTTP smoke checks. x402 middleware route smoke
OPTIONS, 402 challenge headers, verify/settle stub, and payment response checks. x402 payment response readback
Client-side receipt/header handling across browser and Node demo code. Browser-agent middleware packet
Reusable 402/CORS/facilitator-readback checklist.