X-Cart:Security Options

From X-Cart 4 Classic
Revision as of 11:38, 17 September 2010 by Ivka (talk | contribs) (General security options)
Jump to: navigation, search

General security options

The 'General settings/Security options' page allows you to adjust options that affect your store security (options that affect encryption methods used in your store, HTTPS options, etc) and to test the encryption of data by PGP/GnuPG.

  • Order emails encryption method: Method that you wish to be used for encrypting order emails.
  • Comma separated list of file extensions disallowed for uploading: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible.
  • Check if payment gateway response is coming from the IP's specified here (enter a comma separated list): A comma separated list of IP addresses from which payment gateway responses can be accepted.
We strongly recommend you to add a comma separated list of IP addresses from which payment gateway responses can be accepted for the Web-based payment methods on this page. For more information about possible payment gateway IPs contact the payment gateway support.
Web-based means a customer is redirected to the payment gateway site, where he or she can enter the credit card data. After the payment is completed, the customer is redirected back to the store. Web-based payment methods can use special callback queries to the store to inform about the transaction status on the side of the payment gateway. Malicious users can try to fake these callback queries to manipulate information about the order status in the store. That is why it is necessary to complete the list of IP addresses, from which callback queries to the store are allowed.
  • Enable merchant key based blowfish encryption method: Enabling this option enables Merchant key-based Blowfish encryption for order details. As soon as you select the check box and click the Save button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key.
Important: You will be supposed to enter your Merchant key as a password every time you try to access order details. Make sure you keep your Merchant key in a secure place. If you forget your Merchant key, all the order details stored in your database will be lost, as you will not be able to decrypt them. Please also be aware that the 'Blowfish encryption method is enabled' option cannot be disabled without a valid Merchant key.
  • Check MD5 of compiled templates for better store protection at a shared hosting: If selected, a special routine checks if MD5 checksums of the compiled templates of pages served to a user's web browser match the authentic checksums for these templates. If the sums for a certain compiled template do not match, the template is discarded and compiled anew. Compiled templates whose MD5 checksum does not match the authentic one are considered potentially harmful: the detected checksum mismatch indicates that the PHP code of such templates has been altered and may possibly contain malicious code.
Note: Enabling this option is recommended if your X-Cart is installed at a shared (public) hosting.

PCI DSS compliance options

  • Number of failed login attempts after which a user account must be suspended: The number of login attempts that a user is allowed to make using an incorrect password before X-Cart automatically suspends their account. For compliance with PCI Data Security Standard, set this value to 6.
  • Lockout duration in minutes (Leave empty if you do not want to automatically re-enable automatically suspended users): The time period for which a user must remain suspended after having been automatically suspended by the system after a number of failed login attempts. For compliance with PCI Data Security Standard, set this value to 30 minutes or leave the field empty.
  • Number of days of inactivity after which an administrator account must be suspended (Set to 0 or leave empty if you do not wish to suspend unused administrator accounts): The number of days that an administrator account may remain inactive before getting automatically suspended by X-Cart. For compliance with PCI Data Security Standard, set this value to 90 days.
  • Use password strength check: This option allows you to enable password strength check for passwords created by the users of your store. If this option is enabled, every time a user creates a new password for their account, X-Cart will perform a check to ensure that this password contains both numeric and alphabetic symbols and is no less than 7 symbols in length. If this option is disabled, no such check will be performed. For compliance with PCI Data Security Standard, enable this option.
  • Number of days after which non-customer users must be requested to change their password: The number of days since the user's most recent login after which X-Cart must request the user to change their password. This setting is relevant only for non-customer users (administrators, providers). For compliance with PCI Data Security Standard, set this value to 90 days.
  • Do not allow a user to submit a new password that is the same as any of the last four passwords they have used: This option helps you ensure that users who are requested to change their password will change their password to something new (not a password they have already used). For compliance with PCI Data Security Standard, enable this option.

HTTPS options

  • Use HTTPS for users' login and registration: If selected, existing users log in to the store and new users get registered using HTTPS.
  • Use secure login form on a separate page (HTTPS): If selected, your store's authorization pages will provide links to special secure login pages allowing users to log in to the store using HTTPS.
  • Do not redirect customers from HTTPS to HTTP: If selected, customers use HTTPS all the time while using your store. You can unselect this check box if you want to enable redirection of customers to HTTP for pages where security is not required.

PGP options

  • Home path: Path to PGP home directory (a directory where PGP configuration file and keyrings are stored).
Note: All the files in PGP home directory must be owned by the user under which PGP is running (usually Web server) and must have UNIX 0600 permissions. The directory itself must have 0700 permissions.
  • PGP binary path: Path to PGP executable.
  • PGP user id: Your user ID (an ASCII string used to identify a user).
  • PGP public key: Public key that will be used to encrypt your data (After you paste your public key into this field and click the Save button, the key will be added to your public keyring).
  • Use PGP version 6: Selecting this check box enables you to use PGP version 6.

GnuPG options

  • Home path: Path to GnuPG home directory.
  • GnuPG binary path: Path to GnuPG executable.
  • GnuPG user id: Your user ID.
  • GnuPG public key: Public key that will be used to encrypt your data.

P3P options

This section allows you to define your store's privacy policy. P3P enabled web browsers will use the information provided in this section to decide how to interact with your store site. For example, Microsoft Internet Explorer 6 can compare your store's privacy policy with the user's stored preferences to decide whether or not to allow cookies from your store site.

  • P3P compact policy data: Your store's compact privacy policy (will be included in the HTTP header).
  • P3P policy reference file url (leave empty if not used): URL of your store's P3P policy reference file.
Note: More information about P3P is available at W3C P3P site (http://www.w3.org/P3P/).

Test data encryption

This section allows you to test whether PGP/GnuPG encryption is working correctly. For details, see X-Cart:PGP/GnuPG page.