Skip to content
A Magento community sourced security pre-flight checklist.
Branch: master
Clone or download
talesh Merge pull request #12 from talesh/talesh-patch-5
Added more details for PHP configuration
Latest commit 6520aa2 Jun 5, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit May 28, 2019 Added more details for PHP configuration Jun 5, 2019

Magento Security Checklist

This is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight checklist so you don't forget something important because you've been in a headlong rush for the last few months to get all the features of your eCommerce site built.

This checklist will apply to only Magento 2.x versions.

Custom code

  • Are all inputs validated on the server side?
    • (TODO: Link to validation tutorial)
  • Are you sanitizing all inputs also? (eg: casting to integers if a number is expected?)
  • Are you correctly protecting your code against PHP string comparison vulnerabilities? (eg. == vs ===)
  • Are you using Magento built in form_key validation on all custom forms?
    • (TODO: Link for more info on CSRF Anti-forgery tokens)
  • Are you properly escaping all output to screen using escapeHtml(), escapeJs() and similar functions?
  • Are you setting HttpOnly and Secure flag on any custom cookies?
  • Are you using the Magento\Config\Model\Config\Backend\Encrypted backend model for sensitive API data to be stored in the DB? eg: payment gateway keys.
  • Are you using any dynamic code execution functions like eval, shell_exec?
  • Are you building MySQL queries properly and not using direct queries?
  • Are all sensitive or system specific settings treated as sensitive configuration?
  • Are you adhering to the Magento Technical Guidelines when developing custom code?

Extension security checklist

  • Do you have the latest version of all the extesions being used on the site?
  • Are all your extensions using Magento ACL properly to limit the scope of users?
    • (TODO: ACL tutorial)
  • Did you perform a security audit on 3rd party extensions used on the store?
    • At the very least execute Extension Code Review against Magento Coding Standards
    • Review if Passwords/API Credentials or other Sensitive Data stored by 3rd Party Extension are not save in Database using plaintext!
    • (TODO: Link to more sample tools to help perform security audit on extensions)
  • Review the need of using Magento_Swagger & Magento_Version Modules in Production Environment (consider to Disable those CORE Modules or at the very least restrict access to hostname/magento_version and hostname/swagger)

Magento Admin settings

  • Are you using a custom Magento Admin URL?
  • Is access to your Admin URL IP whitelisted or protected via VPN?
  • Confirm that Web -> Default Cookie Settings -> Use HTTP Only is not disabled?
  • Are you using 2FA for your admin login?
  • Are there any old/unused admin users which were created for testing or development that should be removed?

Server settings

  • Is your site logging information in a format that is easily reviewed by your team?
  • Is your site logging any potentially sensitive information?
  • Is you TLS certificate properly installed and your OpenSSL configuration set to high standards?
  • Do you have notifications turned on for filesystem integrity?
  • Disable Server Signature:
  • Set secure PHP settings in php.ini
    • Minimize the number of PHP modules you have installed. Remove any not needed by Magento.
    • Disable PHP version exposure: expose_php = Off
    • Disable Script Name exposure for mail() function: mail.add_x_header = Off
    • Disable errors: display_errors = Off
    • Set httponly flag as default for cookies: session.cookie_httpsonly = On
    • Set secure flag as default for cookies: session.cookie_secure = On
    • Disable remote file inclusion: allow_url_fopen = Off and allow_url_include = Off
    • Set open_basedir and upload_tmp_dir to appropriate directories for you distro/installation
  • Are there any (development) files or database dumps lying around in the production document root that are not intended for public useage (for example info.php, phpinfo.php, dbdump.sql.gz)?
  • Does an unecessary .git folder or .gitignore file exist in your production filesystem?
  • Do all your folders in your docroot have the appropriate permissions set? (for example var/logs, /var/report, install)?
  • Have you analyzed your HTTP response headers for problems?
  • Unless you have specific requirements for them have you limited all requests to GET and PUT?
  • TODO: need to add mod_security information

Regular Maintenance

  • Do you have an Incident Response Plan implemented and tested (mock scenario)?
  • Do you have a person with regular scheduled time to review log messages for suspicious behaviour?
    • What is your process for dealing with IP address that are attempted to directory bruteforcing?
  • Do you have automated offsite backups for your site enabled?

Magento Core

  • Does your site contain the latest security patches and updates?
  • Do you have a person with a subscription to security notices from Magento security blog for urgent patches/updates?
  • Do you have a recurring reminder to execute regularly review validity of existing Admin accounts?
    • Recommended monthly

External security concerns

  • If you are using a Web Application Firewall (WAF) does it provide virtual patching and how do you keep it up to date?
You can’t perform that action at this time.