This is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight checklist so you don't forget something important because you've been in a headlong rush for the last few months to get all the features of your eCommerce site built.
This checklist will apply to only Magento 2.x versions.
- Are all inputs validated on the server side?
- (TODO: Link to validation tutorial)
- Are you sanitizing all inputs also? (eg: casting to integers if a number is expected?)
- Are you correctly protecting your code against PHP string comparison vulnerabilities? (eg. == vs ===)
- Are you using Magento built in
form_keyvalidation on all custom forms?- (TODO: Link for more info on CSRF Anti-forgery tokens)
- Are you properly escaping all output to screen using
escapeHtml(),escapeJs()and similar functions? - Are you setting
HttpOnlyandSecureflag on any custom cookies? - Are you using the
Magento\Config\Model\Config\Backend\Encryptedbackend model for sensitive API data to be stored in the DB? eg: payment gateway keys. - Are you using any dynamic code execution functions like
eval,shell_exec? - Are you building MySQL queries properly and not using direct queries?
- Are all sensitive or system specific settings treated as sensitive configuration?
- Are you adhering to the Magento Technical Guidelines when developing custom code?
- Do you have the latest version of all the extensions being used on the site?
- Are all your extensions using Magento ACL properly to limit the scope of users?
- (TODO: ACL tutorial)
- Did you perform a security audit on 3rd party extensions used on the store?
- At the very least execute Extension Code Review against Magento Coding Standards
- Review if Passwords/API Credentials or other Sensitive Data stored by 3rd Party Extension are not save in Database using
plaintext! - (TODO: Link to more sample tools to help perform security audit on extensions)
- Review the need of using
Magento_Swagger&Magento_VersionModules in Production Environment (consider toDisablethose CORE Modules or at the very least restrict access tohostname/magento_versionandhostname/swagger)
- Are you using a custom Magento Admin URL?
- Is access to your Admin URL IP whitelisted or protected via VPN?
- Confirm that Web -> Default Cookie Settings -> Use HTTP Only is not disabled?
- Are you using 2FA for your admin login?
- Are there any old/unused admin users which were created for testing or development that should be removed?
- Is your site logging information in a format that is easily reviewed by your team?
- Is your site logging any potentially sensitive information?
- Is you TLS certificate properly installed and your OpenSSL configuration set to high standards?
- Do you have notifications turned on for filesystem integrity?
- Disable Server Signature:
- Nginx -
server_tokens off; - Apache - ServerSignature Directive -
ServerSignature Off - Apache - ServerTokens Directive -
ServerTokens Prod
- Nginx -
- Set secure PHP settings in
php.ini- Minimize the number of PHP modules you have installed. Remove any not needed by Magento.
- Disable PHP version exposure:
expose_php = Off - Disable Script Name exposure for
mail()function:mail.add_x_header = Off - Disable errors:
display_errors = Off - Set httponly flag as default for cookies:
session.cookie_httpsonly = On - Set secure flag as default for cookies:
session.cookie_secure = On - Disable remote file inclusion:
allow_url_fopen = Offandallow_url_include = Off - Set
open_basedirandupload_tmp_dirto appropriate directories for you distro/installation
- Are there any (development) files or database dumps lying around in the production document root that are not intended for public useage (for example info.php, phpinfo.php, dbdump.sql.gz)?
- Does an unnecessary
.gitfolder or.gitignorefile exist in your production filesystem? - Are any required files for server operation readable publicly? eg:
php.inior.user.ini - Do all your folders in your docroot have the appropriate permissions set? (for example var/logs, /var/report, install)?
- Have you analyzed your HTTP response headers for problems?
- Unless you have specific requirements for them have you limited all requests to
GETandPUT? - Can you set your Magento php files installation as read-only?
- Do you have a process for matching the production server files with a known good state?
- TODO: need to add mod_security information
- Do you have an Incident Response Plan implemented and tested (mock scenario)?
- Do you have a person with regular scheduled time to review log messages for suspicious behaviour?
- What is your process for dealing with IP address that are attempted to directory bruteforcing?
- Do you have automated offsite backups for your site enabled?
- Are these backups encrypted and on a non-public location?
- Are these backups treated with the same level of security as your existing code?
- Do you have a process for sanitizing production data for developers?
- Do you have a list of developers/support staff with full access to your production systems and a process for accessing them?
- Does your site contain the latest security patches and updates?
- Do you have a person with a subscription to security notices from Magento security blog for urgent patches/updates?
- Do you have a recurring reminder to execute regularly review validity of existing Admin accounts?
- Recommended monthly
- If you are using a Web Application Firewall (WAF) does it provide virtual patching and how do you keep it up to date?
- Magento User Guide's Security Best Practices