Magento Security Checklist
This is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight checklist so you don't forget something important because you've been in a headlong rush for the last few months to get all the features of your eCommerce site built.
This checklist will apply to only Magento 2.x versions.
- Are all inputs validated on the server side?
- (TODO: Link to validation tutorial)
- Are you sanitizing all inputs also? (eg: casting to integers if a number is expected?)
- Are you correctly protecting your code against PHP string comparison vulnerabilities? (eg. == vs ===)
- Are you using Magento built in
form_keyvalidation on all custom forms?
- (TODO: Link for more info on CSRF Anti-forgery tokens)
- Are you properly escaping all output to screen using
escapeJs()and similar functions?
- Are you setting
Secureflag on any custom cookies?
- Are you using the
Magento\Config\Model\Config\Backend\Encryptedbackend model for sensitive API data to be stored in the DB? eg: payment gateway keys.
- Are you using any dynamic code execution functions like
- Are you building MySQL queries properly and not using direct queries?
- Are all sensitive or system specific settings treated as sensitive configuration?
- Are you adhering to the Magento Technical Guidelines when developing custom code?
Extension security checklist
- Do you have the latest version of all the extesions being used on the site?
- Are all your extensions using Magento ACL properly to limit the scope of users?
- (TODO: ACL tutorial)
- Did you perform a security audit on 3rd party extensions used on the store?
- At the very least execute Extension Code Review against Magento Coding Standards
- Review if Passwords/API Credentials or other Sensitive Data stored by 3rd Party Extension are not save in Database using
- (TODO: Link to more sample tools to help perform security audit on extensions)
- Review the need of using
Magento_VersionModules in Production Environment (consider to
Disablethose CORE Modules or at the very least restrict access to
Magento Admin settings
- Are you using a custom Magento Admin URL?
- Is access to your Admin URL IP whitelisted or protected via VPN?
- Confirm that Web -> Default Cookie Settings -> Use HTTP Only is not disabled?
- Are you using 2FA for your admin login?
- Are there any old/unused admin users which were created for testing or development that should be removed?
- Is your site logging information in a format that is easily reviewed by your team?
- Is your site logging any potentially sensitive information?
- Is you TLS certificate properly installed and your OpenSSL configuration set to high standards?
- Do you have notifications turned on for filesystem integrity?
- Disable Server Signature:
- Set secure PHP settings in
- Minimize the number of PHP modules you have installed. Remove any not needed by Magento.
- Disable PHP version exposure:
expose_php = Off
- Disable Script Name exposure for
mail.add_x_header = Off
- Disable errors:
display_errors = Off
- Set httponly flag as default for cookies:
session.cookie_httpsonly = On
- Set secure flag as default for cookies:
session.cookie_secure = On
- Disable remote file inclusion:
allow_url_fopen = Offand
allow_url_include = Off
upload_tmp_dirto appropriate directories for you distro/installation
- Are there any (development) files or database dumps lying around in the production document root that are not intended for public useage (for example info.php, phpinfo.php, dbdump.sql.gz)?
- Does an unecessary
.gitignorefile exist in your production filesystem?
- Do all your folders in your docroot have the appropriate permissions set? (for example var/logs, /var/report, install)?
- Have you analyzed your HTTP response headers for problems?
- Unless you have specific requirements for them have you limited all requests to
- TODO: need to add mod_security information
- Do you have an Incident Response Plan implemented and tested (mock scenario)?
- Do you have a person with regular scheduled time to review log messages for suspicious behaviour?
- What is your process for dealing with IP address that are attempted to directory bruteforcing?
- Do you have automated offsite backups for your site enabled?
- Does your site contain the latest security patches and updates?
- Do you have a person with a subscription to security notices from Magento security blog for urgent patches/updates?
- Do you have a recurring reminder to execute regularly review validity of existing Admin accounts?
- Recommended monthly
External security concerns
- If you are using a Web Application Firewall (WAF) does it provide virtual patching and how do you keep it up to date?