{"id":13518147,"url":"https://github.com/talesh/magento-security-checklist","last_synced_at":"2025-03-31T09:31:14.845Z","repository":{"id":44678149,"uuid":"189083439","full_name":"talesh/magento-security-checklist","owner":"talesh","description":"A Magento community sourced security pre-flight checklist.","archived":false,"fork":false,"pushed_at":"2023-01-10T18:54:32.000Z","size":43,"stargazers_count":133,"open_issues_count":2,"forks_count":21,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-03-24T04:17:39.505Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/talesh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-05-28T18:38:13.000Z","updated_at":"2025-03-07T02:00:55.000Z","dependencies_parsed_at":"2023-02-08T19:45:13.927Z","dependency_job_id":null,"html_url":"https://github.com/talesh/magento-security-checklist","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/talesh%2Fmagento-security-checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/talesh%2Fmagento-security-checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/talesh%2Fmagento-security-checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/talesh%2Fmagento-security-checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/talesh","download_url":"https://codeload.github.com/talesh/magento-security-checklist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246446854,"owners_count":20778887,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T05:01:41.353Z","updated_at":"2025-03-31T09:31:14.546Z","avatar_url":"https://github.com/talesh.png","language":null,"funding_links":[],"categories":["Others","Security"],"sub_categories":["Free"],"readme":"# Magento Security Checklist\nThis is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight checklist so you don't forget something important because you've been in a headlong rush for the last few months to get all the features of your eCommerce site built.\n\n_This checklist will apply to only Magento 2.x versions._\n\n## Custom code\n* Are all inputs validated on the server side? \n  * (TODO: Link to validation tutorial)\n* Are you sanitizing all inputs also? (eg: casting to integers if a number is expected?)\n* Are you correctly protecting your code against PHP string comparison vulnerabilities? (eg. == vs ===)\n  * [Blog post explaining vulnerability](https://hydrasky.com/network-security/php-string-comparison-vulnerabilities/)\n* Are you using Magento built in `form_key` validation on all custom forms? \n  * (TODO: Link for more info on CSRF Anti-forgery tokens)\n* Are you properly escaping all output to screen using `escapeHtml()`, `escapeJs()` and similar functions?\n* Are you setting `HttpOnly` and `Secure` flag on any custom cookies?\n* Are you using the `Magento\\Config\\Model\\Config\\Backend\\Encrypted` backend model for sensitive API data to be stored in the DB? eg: payment gateway keys.\n* Are you using any dynamic code execution functions like `eval`, `shell_exec` or backticks (``)? \n  * [Exploitable PHP functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n* Are you building MySQL queries properly and not using direct queries?\n* Are all sensitive or system specific settings treated as sensitive configuration? \n  * [DevDocs on sensitive configuration](https://devdocs.magento.com/guides/v2.3/extension-dev-guide/configuration/sensitive-and-environment-settings.html#how-to-specify-values-as-sensitive-or-system-specific)\n* Are you adhering to the Magento Technical Guidelines when developing custom code?\n  * [Magento Technical Guidelines](https://devdocs.magento.com/guides/v2.3/coding-standards/technical-guidelines.html)\n* Are you sanitizing/ filtering user inputs and dynamic data against malicious code to prevent cross-site scripting (XSS)? \n  * [XSS prevention strategies](https://devdocs.magento.com/guides/v2.3/extension-dev-guide/xss-protection.html)\n\n## Extension security checklist\n* Do you have the latest version of all the extensions being used on the site?\n  * [Magento Vulnerable extensions](https://github.com/gwillem/magevulndb)\n* Are all your extensions using Magento ACL properly to limit the scope of users?\n  * (TODO: ACL tutorial)\n* Did you perform a security audit on 3rd party extensions used on the store? \n  * At the very least execute Extension Code Review against [Magento Coding Standards](https://github.com/magento/magento-coding-standard)\n  * Use a [tool](https://packagist.org/packages/roave/security-advisories) that reports the usage of dependencies with known security vulnerabilities \n  * Review if Passwords/API Credentials or other Sensitive Data stored by 3rd Party Extension are not save in Database using `plaintext`!\n  * (TODO: Link to more sample tools to help perform security audit on extensions)\n* Review the need of using `Magento_Swagger` \u0026 `Magento_Version` Modules in Production Environment (consider to `Disable` those CORE Modules or at the very least restrict access to `hostname/magento_version` and `hostname/swagger`)\n* Review the need of using `hostname/setup` in Production Environment (consider to restrict the access)\n* Are you updating the 3rd party extensions on a regular basis?\n\n## Magento Admin settings \n* Are you using a custom Magento Admin URL?\n* Is the secret key added to admin URLs?\n* Is access to your Admin URL IP whitelisted or protected via VPN? \n* If you can't make the Admin URL private, are you using CAPTCHA/ reCAPTCHA for admin login form?\n* Is the admin session lifetime set to a reasonable configuration (1-2hrs)?\n* Are you reinforcing admin password renewal at least every 3 months?\n* Are you disabling the admin account sharing?\n* Are you limiting the failed admin login attempts to a reasonable number of times (eg 3)?\n* Confirm that Web -\u003e Default Cookie Settings -\u003e Use HTTP Only is not disabled?\n* Are you using 2FA for your admin login? \n* Are there any old/unused admin users which were created for testing or development that should be removed?\n* Are you using CAPTCHA/ reCAPTCHA for customer facing web forms?\n\n## Server settings\n* Is your site logging information in a format that is easily reviewed by your team?\n* Is your site logging any potentially sensitive information?\n* Is you TLS certificate properly installed and your OpenSSL configuration set to high standards?\n  * [SSL Server Test](https://www.ssllabs.com/ssltest/)\n* Do you have notifications turned on for filesystem integrity?\n* Disable Server Signature:\n  * [Nginx](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) - `server_tokens off;`\n  * [Apache - ServerSignature Directive](https://httpd.apache.org/docs/2.4/mod/core.html#serversignature) - `ServerSignature Off` \n  * [Apache - ServerTokens Directive](https://httpd.apache.org/docs/2.4/mod/core.html#servertokens) - `ServerTokens Prod`\n* Set secure PHP settings in `php.ini`\n  * Minimize the number of PHP modules you have installed. Remove any not needed by Magento.\n  * Disable PHP version exposure: `expose_php = Off`\n  * Disable Script Name exposure for `mail()` function: `mail.add_x_header = Off`\n  * Disable errors: `display_errors = Off`\n  * Set httponly flag as default for cookies: `session.cookie_httpsonly = On`\n  * Set secure flag as default for cookies: `session.cookie_secure = On`\n  * Disable remote file inclusion: `allow_url_fopen = Off` and `allow_url_include = Off`\n  * Set `open_basedir` and `upload_tmp_dir` to appropriate directories for you distro/installation \n* Are there any (development) files or database dumps lying around in the production document root that are not intended for public usage (for example info.php, phpinfo.php, dbdump.sql.gz)?\n* Does an unnecessary `.git` folder or `.gitignore` file exist in your production filesystem? \n* Are any required files for server operation readable publicly? eg: `php.ini` or `.user.ini`\n* Do all your folders in your docroot have the [appropriate permissions set](https://devdocs.magento.com/guides/v2.3/config-guide/prod/prod_file-sys-perms.html)? (for example var/logs, /var/report, install)?\n* Have you analyzed your HTTP response headers for problems?\n  * [Analyse your HTTP response headers](https://securityheaders.com/)\n* Unless you have specific requirements for them have you limited all requests to `GET` and `PUT`?\n* Are you disabling the directory paths indexing/ listing?\n* Can you set your Magento php files installation as read-only? \n  *  Do you have a process for matching the production server files with a known good state?\n* _TODO: need to add mod_security information_\n* Is the webserver \u0026 Magento’s app/etc/env.php configured [to use /pub as document root](https://devdocs.magento.com/guides/v2.3/install-gde/tutorials/change-docroot-to-pub.html)?\n* Is /media/ accesible?\n* Are there any executable files inside /media/?\n* Are you using up-to-date services ([where compatibility allows it](https://devdocs.magento.com/guides/v2.3/install-gde/system-requirements-tech.html))?\n* Are you disabling or returning 404 the requests to pages with unused forms?\n\n## SSH access\n* Are you granting server access only by SSH connection and usage of individual users with individual keys?\n* Are you providing access only to the people who actually need it, and only to the resources they need?\n* Are you documenting all SSH keys and update them as team members change the keys or are added/ removed to/ from the team?\n* Are you reviewing all access by project team members and staff periodically (at least every 3 months)?\n* Are you disabling SSH access for root user?\n* Is the default SSH port changed from 22 to something else (eg 2233)?\n* Is SSH password authentication disabled?\n\n## Regular Maintenance \n* Do you have an Incident Response Plan implemented and tested (mock scenario)? \n  * [Magento Incidence Response Plan template](https://www.github.com/talesh/response)\n* Do you have a person with regular scheduled time to review log messages for suspicious behaviour?\n  * What is your process for dealing with IP address that are attempted to directory bruteforcing?\n* Do you have automated offsite backups for your site enabled?\n  * Are these backups encrypted and on a non-public location?\n  * Are these backups treated with the same level of security as your existing code?\n\n## Secure Development processes \n* Do you have a process for sanitizing production data for developers?\n  * [n98-magerun2 is recommended](https://github.com/netz98/n98-magerun2)\n* Do you have a list of developers/support staff with full access to your production systems and a process for accessing them?\n\n## Testing environments\n* Are you blocking access to testing machines and use a whitelist for IPs that really need to access these resources?\n* Are you keeping a catalog of all IPs - who and why they have access over HTTP to these machines and periodically check if they still need the access?\n* Are you using [environment variables](https://devdocs.magento.com/guides/v2.3/config-guide/prod/config-reference-var-name.html) to overwrite any production URL for payment processors, 3rd party API integrations or other sensitive configurations which you might overlook when updating the testing machine database with a backup from production?\n\n## Magento Core \n* Does your site contain the latest security patches and updates?\n  * [Magereport community scanner](https://www.magereport.com/)\n  * [Magento security scanner](https://account.magento.com/scanner)\n* Are you applying the security patches' new standards/ changes to the custom code developed so far? Without this, the patch can be useless (the system is as strong as its weakest link).\n* Do you have a person with a subscription to security notices from Magento security blog for urgent patches/updates? \n  * [Magento Security center](https://magento.com/security)\n* Do you have a recurring reminder to execute regularly review validity of existing Admin accounts (including the allocated resources)?\n  * Recommended monthly\n* Are you reviewing on a regular basis (at least every 3 months) the existing API integrations and the allocated resources?\n\n## External security concerns\n* If you are using a Web Application Firewall (WAF) does it provide virtual patching and how do you keep it up to date?\n\n## Additional resources\n* Magento User Guide's [Security Best Practices](https://magento.com/security/best-practices)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftalesh%2Fmagento-security-checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftalesh%2Fmagento-security-checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftalesh%2Fmagento-security-checklist/lists"}