Difference between revisions of "X-Cart:Security Options"
(→General security options) |
|||
Line 6: | Line 6: | ||
* <u>Comma separated list of file extensions disallowed for uploading</u>: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible. | * <u>Comma separated list of file extensions disallowed for uploading</u>: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible. | ||
* <u>Check if payment gateway response is coming from the IP's specified here (enter a comma separated list)</u>: A comma separated list of IP addresses from which payment gateway responses can be accepted. | * <u>Check if payment gateway response is coming from the IP's specified here (enter a comma separated list)</u>: A comma separated list of IP addresses from which payment gateway responses can be accepted. | ||
+ | {{Note1|'''Important!''' <br/>We strongly recommend you to add a comma separated list of IP addresses from which payment gateway responses can be accepted for the Web-based payment methods on this page. For more information about possible payment gateway IPs contact the payment gateway support.<br/>Web-based means a customer is redirected to the payment gateway site, where he or she can enter the credit card data. After the payment is completed, the customer is redirected back to the store. Web-based payment methods can use special callback queries to the store to inform about the transaction status on the side of the payment gateway. Malicious users can try to fake these callback queries to manipulate information about the order status in the store. That is why it is necessary to complete the list of IP addresses, from which callback queries to the store are allowed.}} | ||
* <u>Enable merchant key based blowfish encryption method</u>: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the '''Save''' button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key. | * <u>Enable merchant key based blowfish encryption method</u>: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the '''Save''' button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key. | ||
Revision as of 11:38, 17 September 2010
Contents
General security options
The 'General settings/Security options' page allows you to adjust options that affect your store security (options that affect encryption methods used in your store, HTTPS options, etc) and to test the encryption of data by PGP/GnuPG.
- Order emails encryption method: Method that you wish to be used for encrypting order emails.
- Comma separated list of file extensions disallowed for uploading: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible.
- Check if payment gateway response is coming from the IP's specified here (enter a comma separated list): A comma separated list of IP addresses from which payment gateway responses can be accepted.
We strongly recommend you to add a comma separated list of IP addresses from which payment gateway responses can be accepted for the Web-based payment methods on this page. For more information about possible payment gateway IPs contact the payment gateway support.
Web-based means a customer is redirected to the payment gateway site, where he or she can enter the credit card data. After the payment is completed, the customer is redirected back to the store. Web-based payment methods can use special callback queries to the store to inform about the transaction status on the side of the payment gateway. Malicious users can try to fake these callback queries to manipulate information about the order status in the store. That is why it is necessary to complete the list of IP addresses, from which callback queries to the store are allowed.
- Enable merchant key based blowfish encryption method: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the Save button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key.
- Check MD5 of compiled templates for better store protection at a shared hosting: If selected, a special routine checks if MD5 checksums of the compiled templates of pages served to a user's web browser match the authentic checksums for these templates. If the sums for a certain compiled template do not match, the template is discarded and compiled anew. Compiled templates whose MD5 checksum does not match the authentic one are considered potentially harmful: the detected checksum mismatch indicates that the PHP code of such templates has been altered and may possibly contain malicious code.
PCI DSS compliance options
- Number of failed login attempts after which a user account must be suspended: The number of login attempts that a user is allowed to make using an incorrect password before X-Cart automatically suspends their account. For compliance with PCI Data Security Standard, set this value to 6.
- Lockout duration in minutes (Leave empty if you do not want to automatically re-enable automatically suspended users): The time period for which a user must remain suspended after having been automatically suspended by the system after a number of failed login attempts. For compliance with PCI Data Security Standard, set this value to 30 minutes or leave the field empty.
- Number of days of inactivity after which an administrator account must be suspended (Set to 0 or leave empty if you do not wish to suspend unused administrator accounts): The number of days that an administrator account may remain inactive before getting automatically suspended by X-Cart. For compliance with PCI Data Security Standard, set this value to 90 days.
- Use password strength check: This option allows you to enable password strength check for passwords created by the users of your store. If this option is enabled, every time a user creates a new password for their account, X-Cart will perform a check to ensure that this password contains both numeric and alphabetic symbols and is no less than 7 symbols in length. If this option is disabled, no such check will be performed. For compliance with PCI Data Security Standard, enable this option.
- Number of days after which non-customer users must be requested to change their password: The number of days since the user's most recent login after which X-Cart must request the user to change their password. This setting is relevant only for non-customer users (administrators, providers). For compliance with PCI Data Security Standard, set this value to 90 days.
- Do not allow a user to submit a new password that is the same as any of the last four passwords they have used: This option helps you ensure that users who are requested to change their password will change their password to something new (not a password they have already used). For compliance with PCI Data Security Standard, enable this option.
HTTPS options
- Use HTTPS for users' login and registration: If selected, existing users log in to the store and new users get registered using HTTPS.
- Use secure login form on a separate page (HTTPS): If selected, your store's authorization pages will provide links to special secure login pages allowing users to log in to the store using HTTPS.
- Do not redirect customers from HTTPS to HTTP: If selected, customers use HTTPS all the time while using your store. You can unselect this check box if you want to enable redirection of customers to HTTP for pages where security is not required.
PGP options
- Home path: Path to PGP home directory (a directory where PGP configuration file and keyrings are stored).
- PGP binary path: Path to PGP executable.
- PGP user id: Your user ID (an ASCII string used to identify a user).
- PGP public key: Public key that will be used to encrypt your data (After you paste your public key into this field and click the Save button, the key will be added to your public keyring).
- Use PGP version 6: Selecting this check box enables you to use PGP version 6.
GnuPG options
- Home path: Path to GnuPG home directory.
- GnuPG binary path: Path to GnuPG executable.
- GnuPG user id: Your user ID.
- GnuPG public key: Public key that will be used to encrypt your data.
P3P options
This section allows you to define your store's privacy policy. P3P enabled web browsers will use the information provided in this section to decide how to interact with your store site. For example, Microsoft Internet Explorer 6 can compare your store's privacy policy with the user's stored preferences to decide whether or not to allow cookies from your store site.
- P3P compact policy data: Your store's compact privacy policy (will be included in the HTTP header).
- P3P policy reference file url (leave empty if not used): URL of your store's P3P policy reference file.
Test data encryption
This section allows you to test whether PGP/GnuPG encryption is working correctly. For details, see X-Cart:PGP/GnuPG page.