Difference between revisions of "X-Cart:Security Options"

From X-Cart 4 Classic
Jump to: navigation, search
m (HTTPS options)
m (P3P options)
 
(5 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
* <u>Order emails encryption method</u>: Method that you wish to be used for encrypting order emails.
 
* <u>Order emails encryption method</u>: Method that you wish to be used for encrypting order emails.
 
* <u>Comma separated list of file extensions disallowed for uploading</u>: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible.
 
* <u>Comma separated list of file extensions disallowed for uploading</u>: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible.
* <u>Check if payment gateway response is coming from the IP's specified here (enter a comma separated list)</u>: A comma separated list of IP addresses from which payment gateway responses can be accepted.
+
* <u>Check if payment gateway response is coming from the IP's specified here (enter a comma separated list)</u>: Use this field to add a comma separated list of "trusted" IP addresses from which your store should accept callbacks for payment methods with gateway hosted payment page. The complete list of IP addresses from which you can expect callbacks can be obtained from the respective payment gateway. ''Why it is necessary'': Payment systems with gateway hosted payment page can make callbacks to your store to inform about the status of the transaction on the side of the payment gateway. Malicious users may try to fake the information coming from the payment gateway to manipulate information about the order status in the store.  
{{Note1|'''Important!''' <br/>We strongly recommend you to add a comma separated list of IP addresses from which payment gateway responses can be accepted for the Web-based payment methods on this page. For more information about possible payment gateway IPs contact the payment gateway support.<br/>Web-based means a customer is redirected to the payment gateway site, where he or she can enter the credit card data. After the payment is completed, the customer is redirected back to the store. Web-based payment methods can use special callback queries to the store to inform about the transaction status on the side of the payment gateway. Malicious users can try to fake these callback queries to manipulate information about the order status in the store. That is why it is necessary to complete the list of IP addresses, from which callback queries to the store are allowed.}}
 
 
* <u>Enable merchant key based blowfish encryption method</u>: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the '''Save''' button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key.
 
* <u>Enable merchant key based blowfish encryption method</u>: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the '''Save''' button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key.
  
{{Note1|Important: You will be supposed to enter your Merchant key as a password every time you try to access order details. Make sure you keep your Merchant key in a secure place. If you forget your Merchant key, all the order details stored in your database will be lost, as you will not be able to decrypt them. Please also be aware that the 'Blowfish encryption method is enabled' option cannot be disabled without a valid Merchant key.}}
+
{{Note1|'''Important:''' You will be supposed to enter your Merchant key as a password every time you try to access order details. Make sure you keep your Merchant key in a secure place. If you forget your Merchant key, all the order details stored in your database will be lost, as you will not be able to decrypt them. Please also be aware that the 'Blowfish encryption method is enabled' option cannot be disabled without a valid Merchant key.}}
 +
{{XC versions|from=4.1.0|to=4.5.5}}
 +
* <u>Check MD5 of compiled templates for better store protection at a shared hosting</u>: If selected, a special routine checks if MD5 checksums of the compiled templates of pages served to a user's web browser match the authentic checksums for these templates. If the sums for a certain compiled template do not match, the template is discarded and compiled anew. It is recommended to keep this option disabled at all times to avoid negative effect on the store's performance.
  
* <u>Check MD5 of compiled templates for better store protection at a shared hosting</u>: If selected, a special routine checks if MD5 checksums of the compiled templates of pages served to a user's web browser match the authentic checksums for these templates. If the sums for a certain compiled template do not match, the template is discarded and compiled anew. Compiled templates whose MD5 checksum does not match the authentic one are considered potentially harmful: the detected checksum mismatch indicates that the PHP code of such templates has been altered and may possibly contain malicious code.
+
{{Note1|'''Note:''' Starting with X-Cart version 4.5.5, the option 'Check MD5 of compiled templates for better store protection at a shared hosting' is no longer present on the 'General settings/Security options' page. The functionality of checking the MD5 checksums of compiled templates is now controlled by the value of the constant COMPILED_TPL_CHECK_MD5 in X-Cart's main configuration file [[X-Cart:Config.php|config.php]].}}
 
 
{{Note1|Note: Enabling this option is recommended if your X-Cart is installed at a shared (public) hosting.}}
 
 
{{XC_4.1}}
 
{{XC_4.1}}
 
* <u>Include login/password used for authentication into the email notifications about failed login attempts:</u> If your store is configured to send email notifications about failed login attempts (i.e. if the option 'Login error notification to site administrator' and/or the option 'All login error notifications to site administrator' in the '<u>General settings/Email Notifications</u>' section are enabled), you can use this setting to specify whether you wish the login/password combinations used in the unsuccesful login attempts to be included into the above said email notifications. Please use your best judgement while adjusting this setting: on the one hand, enabling the inclusion of bad login/password combinations into the email notifications about failed login attempts may help you to spot account cracking activity at your website; on the other hand, if an email notification message containing the actual login/password combination mistyped by the account owner is intercepted by a malicious person, the actual login/password combination may be compromised.
 
* <u>Include login/password used for authentication into the email notifications about failed login attempts:</u> If your store is configured to send email notifications about failed login attempts (i.e. if the option 'Login error notification to site administrator' and/or the option 'All login error notifications to site administrator' in the '<u>General settings/Email Notifications</u>' section are enabled), you can use this setting to specify whether you wish the login/password combinations used in the unsuccesful login attempts to be included into the above said email notifications. Please use your best judgement while adjusting this setting: on the one hand, enabling the inclusion of bad login/password combinations into the email notifications about failed login attempts may help you to spot account cracking activity at your website; on the other hand, if an email notification message containing the actual login/password combination mistyped by the account owner is intercepted by a malicious person, the actual login/password combination may be compromised.
 
{{XC_4.3}}
 
{{XC_4.3}}
* <u>DB backup reminder after the previous DB backup (in days):</u> This option allows you to specify how often the store administrator should be reminded to back up the store's database. If you do not wish to use the DB backup reminder, leave this field empty or set its value to 0(zero).
+
* <u>DB backup reminder after the previous DB backup (in days):</u> This option allows you to specify how often the store administrator should be reminded to back up the store's database. The DB backup reminder will be displayed as a warning message in the store's Admin area. If you do not wish to use the DB backup reminder, leave this field empty or set its value to 0(zero).
  
 
== PCI DSS compliance options ==
 
== PCI DSS compliance options ==
Line 33: Line 32:
  
 
* <u>Use HTTPS for users' login and registration</u>: If selected, existing users log in to the store and new users get registered using HTTPS.
 
* <u>Use HTTPS for users' login and registration</u>: If selected, existing users log in to the store and new users get registered using HTTPS.
{{Note1|Important: If you decide to use HTTPS for users' login and registration, make sure you have a valid SSL certificate installed and configured on your web-server and the variable $https_location in config.php is set up properly. For more details please refer to: [[X-Cart:Configuring_HTTPS | Configuring HTTPS]]}}
+
{{Note1|'''Important:''' If you decide to use HTTPS for users' login and registration, make sure you have a valid SSL certificate installed and configured on your web-server and the variable $https_location in config.php is set up properly. For more details please refer to: [[X-Cart:Configuring_HTTPS | Configuring HTTPS]]}}
  
 
* <u>Use secure login form on a separate page (HTTPS)</u>: If selected, your store's authorization pages will provide links to special secure login pages allowing users to log in to the store using HTTPS.
 
* <u>Use secure login form on a separate page (HTTPS)</u>: If selected, your store's authorization pages will provide links to special secure login pages allowing users to log in to the store using HTTPS.
Line 43: Line 42:
 
* <u>Home path</u>: Path to PGP home directory (a directory where PGP configuration file and keyrings are stored).
 
* <u>Home path</u>: Path to PGP home directory (a directory where PGP configuration file and keyrings are stored).
  
{{Note1|Note: All the files in PGP home directory must be owned by the user under which PGP is running (usually Web server) and must have UNIX 0600 permissions. The directory itself must have 0700 permissions.}}
+
{{Note1|'''Note:''' All the files in PGP home directory must be owned by the user under which PGP is running (usually Web server) and must have UNIX 0600 permissions. The directory itself must have 0700 permissions.}}
  
 
* <u>PGP binary path</u>: Path to PGP executable.
 
* <u>PGP binary path</u>: Path to PGP executable.
Line 58: Line 57:
  
 
== P3P options ==
 
== P3P options ==
 +
 +
'''Important''': This section was removed as is not available in X-Cart versions 4.7.10 and later.
  
 
This section allows you to define your store's privacy policy. P3P enabled web browsers will use the information provided in this section  to decide how to interact with your store site. For example, Microsoft Internet Explorer 6 can compare your store's privacy policy with the user's stored preferences to decide whether or not to allow cookies from your store site.
 
This section allows you to define your store's privacy policy. P3P enabled web browsers will use the information provided in this section  to decide how to interact with your store site. For example, Microsoft Internet Explorer 6 can compare your store's privacy policy with the user's stored preferences to decide whether or not to allow cookies from your store site.
Line 64: Line 65:
 
* <u>P3P policy reference file url (leave empty if not used)</u>: URL of your store's P3P policy reference file.
 
* <u>P3P policy reference file url (leave empty if not used)</u>: URL of your store's P3P policy reference file.
  
{{Note1|Note: More information about P3P is available at W3C P3P site ([http://www.w3.org/P3P/ http://www.w3.org/P3P/]).}}
+
{{Note1|'''Note:''' More information about P3P is available at W3C P3P site ([http://www.w3.org/P3P/ http://www.w3.org/P3P/]).}}
  
 
== Test data encryption ==
 
== Test data encryption ==

Latest revision as of 18:21, 1 March 2018

General security options

The 'General settings/Security options' page allows you to adjust options that affect your store security (options that affect encryption methods used in your store, HTTPS options, etc) and to test the encryption of data by PGP/GnuPG.

  • Order emails encryption method: Method that you wish to be used for encrypting order emails.
  • Comma separated list of file extensions disallowed for uploading: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible.
  • Check if payment gateway response is coming from the IP's specified here (enter a comma separated list): Use this field to add a comma separated list of "trusted" IP addresses from which your store should accept callbacks for payment methods with gateway hosted payment page. The complete list of IP addresses from which you can expect callbacks can be obtained from the respective payment gateway. Why it is necessary: Payment systems with gateway hosted payment page can make callbacks to your store to inform about the status of the transaction on the side of the payment gateway. Malicious users may try to fake the information coming from the payment gateway to manipulate information about the order status in the store.
  • Enable merchant key based blowfish encryption method: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the Save button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key.
Important: You will be supposed to enter your Merchant key as a password every time you try to access order details. Make sure you keep your Merchant key in a secure place. If you forget your Merchant key, all the order details stored in your database will be lost, as you will not be able to decrypt them. Please also be aware that the 'Blowfish encryption method is enabled' option cannot be disabled without a valid Merchant key.
X-Cart4.1.0-4.5.5
  • Check MD5 of compiled templates for better store protection at a shared hosting: If selected, a special routine checks if MD5 checksums of the compiled templates of pages served to a user's web browser match the authentic checksums for these templates. If the sums for a certain compiled template do not match, the template is discarded and compiled anew. It is recommended to keep this option disabled at all times to avoid negative effect on the store's performance.
Note: Starting with X-Cart version 4.5.5, the option 'Check MD5 of compiled templates for better store protection at a shared hosting' is no longer present on the 'General settings/Security options' page. The functionality of checking the MD5 checksums of compiled templates is now controlled by the value of the constant COMPILED_TPL_CHECK_MD5 in X-Cart's main configuration file config.php.
X-Cart 4.1or above
  • Include login/password used for authentication into the email notifications about failed login attempts: If your store is configured to send email notifications about failed login attempts (i.e. if the option 'Login error notification to site administrator' and/or the option 'All login error notifications to site administrator' in the 'General settings/Email Notifications' section are enabled), you can use this setting to specify whether you wish the login/password combinations used in the unsuccesful login attempts to be included into the above said email notifications. Please use your best judgement while adjusting this setting: on the one hand, enabling the inclusion of bad login/password combinations into the email notifications about failed login attempts may help you to spot account cracking activity at your website; on the other hand, if an email notification message containing the actual login/password combination mistyped by the account owner is intercepted by a malicious person, the actual login/password combination may be compromised.
X-Cart 4.3or above
  • DB backup reminder after the previous DB backup (in days): This option allows you to specify how often the store administrator should be reminded to back up the store's database. The DB backup reminder will be displayed as a warning message in the store's Admin area. If you do not wish to use the DB backup reminder, leave this field empty or set its value to 0(zero).

PCI DSS compliance options

X-Cart 4.4or above
  • Add PCI compliance scanning (90 days free) - This allows you to enable PCI compliance scanning for your store. Clicking the Sign up button will take you to the McAfee website where you will be able to enroll in the McAfee® PCI Certification Service.
  • Number of failed login attempts after which a user account must be suspended: The number of login attempts that a user is allowed to make using an incorrect password before X-Cart automatically suspends their account. For compliance with PCI Data Security Standard, set this value to 6.
  • Lockout duration in minutes (Leave empty if you do not want to automatically re-enable automatically suspended users): The time period for which a user must remain suspended after having been automatically suspended by the system after a number of failed login attempts. For compliance with PCI Data Security Standard, set this value to 30 minutes or leave the field empty.
  • Number of days of inactivity after which an administrator account must be suspended (Set to 0 or leave empty if you do not wish to suspend unused administrator accounts): The number of days that an administrator account may remain inactive before getting automatically suspended by X-Cart. For compliance with PCI Data Security Standard, set this value to 90 days.
  • Use password strength check: This option allows you to enable password strength check for passwords created by the users of your store. If this option is enabled, every time a user creates a new password for their account, X-Cart will perform a check to ensure that this password contains both numeric and alphabetic symbols and is no less than 7 symbols in length. If this option is disabled, no such check will be performed. For compliance with PCI Data Security Standard, enable this option.
  • Number of days after which non-customer users must be requested to change their password: The number of days since the user's most recent login after which X-Cart must request the user to change their password. This setting is relevant only for non-customer users (administrators, providers). For compliance with PCI Data Security Standard, set this value to 90 days.
  • Do not allow a user to submit a new password that is the same as any of the last four passwords they have used: This option helps you ensure that users who are requested to change their password will change their password to something new (not a password they have already used). For compliance with PCI Data Security Standard, enable this option.

HTTPS options

  • Use HTTPS for users' login and registration: If selected, existing users log in to the store and new users get registered using HTTPS.
Important: If you decide to use HTTPS for users' login and registration, make sure you have a valid SSL certificate installed and configured on your web-server and the variable $https_location in config.php is set up properly. For more details please refer to: Configuring HTTPS
  • Use secure login form on a separate page (HTTPS): If selected, your store's authorization pages will provide links to special secure login pages allowing users to log in to the store using HTTPS.
  • Redirect customers from HTTPS to HTTP: This option allows you to define whether users should be allowed to continue using your store's website over HTTPS if they initially accessed it over HTTPS. If this option is enabled, users who connect to your store's website over HTTPS will be automatically redirected to HTTP for all the pages that do not require HTTPS (HTTPS will be used only for pages that require a secure connection between the web server and the user's browser, like login and registration pages). If this option is disabled, users who access your store's website using HTTPS will be allowed to stay in HTTPS all the time.

PGP options

  • Home path: Path to PGP home directory (a directory where PGP configuration file and keyrings are stored).
Note: All the files in PGP home directory must be owned by the user under which PGP is running (usually Web server) and must have UNIX 0600 permissions. The directory itself must have 0700 permissions.
  • PGP binary path: Path to PGP executable.
  • PGP user id: Your user ID (an ASCII string used to identify a user).
  • PGP public key: Public key that will be used to encrypt your data (After you paste your public key into this field and click the Save button, the key will be added to your public keyring).
  • Use PGP version 6: Selecting this check box enables you to use PGP version 6.

GnuPG options

  • Home path: Path to GnuPG home directory.
  • GnuPG binary path: Path to GnuPG executable.
  • GnuPG user id: Your user ID.
  • GnuPG public key: Public key that will be used to encrypt your data.

P3P options

Important: This section was removed as is not available in X-Cart versions 4.7.10 and later.

This section allows you to define your store's privacy policy. P3P enabled web browsers will use the information provided in this section to decide how to interact with your store site. For example, Microsoft Internet Explorer 6 can compare your store's privacy policy with the user's stored preferences to decide whether or not to allow cookies from your store site.

  • P3P compact policy data: Your store's compact privacy policy (will be included in the HTTP header).
  • P3P policy reference file url (leave empty if not used): URL of your store's P3P policy reference file.
Note: More information about P3P is available at W3C P3P site (http://www.w3.org/P3P/).

Test data encryption

This section allows you to test whether PGP/GnuPG encryption is working correctly. For details, see X-Cart:PGP/GnuPG page.