Difference between revisions of "X-Cart:Security Profiles"

From X-Cart 4 Classic
Jump to: navigation, search
m
m
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
 
'''Live store''' security profile is a pre-set combination of security options that ensure a higher level of security for your store's data in production mode. This includes:
 
'''Live store''' security profile is a pre-set combination of security options that ensure a higher level of security for your store's data in production mode. This includes:
# Enabled [[X-Cart:Config.php#Setting_the_protection_method_for_SQL.2Fsecurity_and_file_changes_from_the_Admin_area | 'ip'-based protection method]] for security-sensitive operations performed via your store's back end:
+
# Enabled [[X-Cart:Protected_Mode#IPBasedProtectionMethod | 'ip'-based protection method]] for security-sensitive operations performed via your store's back end:
 
#* SQL/security and upgrade/patch operations,
 
#* SQL/security and upgrade/patch operations,
 
#* file operations (upload of distribution files for ESD products) and template editing.
 
#* file operations (upload of distribution files for ESD products) and template editing.
Line 15: Line 15:
 
:* const PROTECT_XID_BY_IP = 'secure_mask';<br />
 
:* const PROTECT_XID_BY_IP = 'secure_mask';<br />
  
'''Evaluation/Playground''' is a security profile that allows you to work without the security limitations imposed by the '''Live store''' security profile. With this profile enabled, no protection is used for security-sensitive operations performed via X-Cart's Admin area, and session protection mechanism is disabled. This is caused by the following settings in config.php:
+
'''Evaluation/Playground''' is a security profile that allows you to work without the security limitations imposed by the '''Live store''' security profile. With this profile enabled, no protection is used for security-sensitive operations performed via your store's back end, and session protection mechanism is disabled. This is caused by the following settings in config.php:
  
 
:* const PROTECT_DB_AND_PATCHES = FALSE;<br />
 
:* const PROTECT_DB_AND_PATCHES = FALSE;<br />
Line 27: Line 27:
  
 
==See also==
 
==See also==
 +
* [[X-Cart:Protected_Mode|Protected Mode]]
 
* [[X-Cart:Config.php | X-Cart:Config.php]]
 
* [[X-Cart:Config.php | X-Cart:Config.php]]
  
 
[[Category:X-Cart user manual]]
 
[[Category:X-Cart user manual]]

Latest revision as of 11:37, 26 March 2013

In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are Evaluation/Playground and Live store. The store administrator selects the security profile at the step Preparing to install X-Cart database of X-Cart's web installation:

Security profile.png

Live store security profile is a pre-set combination of security options that ensure a higher level of security for your store's data in production mode. This includes:

  1. Enabled 'ip'-based protection method for security-sensitive operations performed via your store's back end:
    • SQL/security and upgrade/patch operations,
    • file operations (upload of distribution files for ESD products) and template editing.
  2. Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person.

Live store security profile corresponds to the following settings in config.php:

  • const PROTECT_DB_AND_PATCHES = 'ip';
  • const PROTECT_ESD_AND_TEMPLATES = 'ip';
  • const PROTECT_XID_BY_IP = 'secure_mask';

Evaluation/Playground is a security profile that allows you to work without the security limitations imposed by the Live store security profile. With this profile enabled, no protection is used for security-sensitive operations performed via your store's back end, and session protection mechanism is disabled. This is caused by the following settings in config.php:

  • const PROTECT_DB_AND_PATCHES = FALSE;
  • const PROTECT_ESD_AND_TEMPLATES = FALSE;
  • const PROTECT_XID_BY_IP = FALSE;

If you need to change the previously selected security profile, do one of the following:

  • Re-run X-Cart's installer with the option Update config only enabled and select a different security profile.
OR
  • Manually readjust the values of the constants PROTECT_DB_AND_PATCHES, PROTECT_ESD_AND_TEMPLATES and PROTECT_XID_BY_IP in your store's file config.php .

See also