diff --git a/public/app-view.html b/public/app-view.html
index f145cbf7..91861821 100644
--- a/public/app-view.html
+++ b/public/app-view.html
@@ -20,18 +20,22 @@
             var iframe = document.getElementById('iframe');
             
             window.addEventListener('message', function(e) {
+                const trustedOrigin = 'https://trusted-origin.com'; // Replace with the actual trusted origin
+                if (e.origin !== trustedOrigin) {
+                    return; // Ignore messages from untrusted origins
+                }
                 if (e.data.type === 'set-content') {
                     iframe.srcdoc = e.data.payload;
                 } else {
                     if (e.source === iframe.contentWindow) {
-                        window.parent.postMessage(e.data, '*');
+                        window.parent.postMessage(e.data, trustedOrigin);
                     } else if (e.source === window.parent) {
-                        iframe.contentWindow.postMessage(e.data, '*');
+                        iframe.contentWindow.postMessage(e.data, trustedOrigin);
                     }
                 }
             }, false);
 
-            window.parent.postMessage({ type: 'window-ready' }, '*');
+            window.parent.postMessage({ type: 'window-ready' }, 'https://trusted-origin.com'); // Use the actual trusted origin
         };
     </script>
 </head>
diff --git a/src/components/evm/src/evm.js b/src/components/evm/src/evm.js
index a14da546..55325051 100644
--- a/src/components/evm/src/evm.js
+++ b/src/components/evm/src/evm.js
@@ -848,8 +848,10 @@ function init(callback, debug = true) {
 
     // Preallocate account used for call()
     // TODO: move to general purpose addAccount
-    var key =
-        '79e8817a0b150357a5c30964e2d8b551da038a84d855687222b3bc581730df6e';
+    var key = process.env.PRIVATE_KEY; // Use environment variable instead of hardcoded key
+    if (!key) {
+        throw new Error('Private key not set in environment variables');
+    }
     var address = '0x620cbab1f950e38a964d02ddcf85ecfcbb9f468f';
     var accountData = {
         secretKey: key,
diff --git a/src/components/superprovider/index.js b/src/components/superprovider/index.js
index 4469894c..151bba11 100644
--- a/src/components/superprovider/index.js
+++ b/src/components/superprovider/index.js
@@ -35,7 +35,7 @@ export default class SuperProvider {
         if (this.iframe.contentWindow) {
             this.iframe.contentWindow.postMessage(
                 { type: 'init', channel: this.channelId },
-                '*'
+                'https://trusted-origin.com' // Replace '*' with the specific trusted origin
             );
         }
         setTimeout(this._initIframe, 1000);
@@ -82,7 +82,7 @@ export default class SuperProvider {
                         id: data.id,
                         payload: { err: err, res: res },
                     },
-                    '*'
+                    'https://trusted-origin.com' // Replace '*' with the specific trusted origin
                 );
             } catch (e) {}
         };
diff --git a/src/services/preview.service.js b/src/services/preview.service.js
index 1e0b5366..124da892 100644
--- a/src/services/preview.service.js
+++ b/src/services/preview.service.js
@@ -29,6 +29,10 @@ export const previewService = {
 
     init(wallet) {
         window.addEventListener('message', async (e) => {
+            const expectedOrigin = 'https://trusted-origin.com'; // Replace with the actual expected origin
+            if (e.origin !== expectedOrigin) {
+                return; // Ignore messages from unexpected origins
+            }
             if (e.data.type === 'window-ready' && this.projectItem) {
                 const builtProject = await buildProjectHtml(this.projectItem, wallet, this.disableAccounts, environment);
                 exportableDappHtml = builtProject.exportableContent;