Magento Security Checklist

This is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight checklist so you don't forget something important because you've been in a headlong rush for the last few months to get all the features of your eCommerce site built.

This checklist will apply to only Magento 2.x versions.

Custom code

• Are all inputs validated on the server side?
  • (TODO: Link to validation tutorial)
• Are you sanitizing all inputs also? (eg: casting to integers if a number is expected?)
• Are you correctly protecting your code against PHP string comparison vulnerabilities? (eg. == vs ===)
  • Blog post explaining vulnerability
• Are you using Magento built in form_key validation on all custom forms?
  • (TODO: Link for more info on CSRF Anti-forgery tokens)
• Are you properly escaping all output to screen using escapeHtml(), escapeJs() and similar functions?
• Are you setting HttpOnly and Secure flag on any custom cookies?
• Are you using the Magento\Config\Model\Config\Backend\Encrypted backend model for sensitive API data to be stored in the DB? eg: payment gateway keys.
• Are you using any dynamic code execution functions like eval, shell_exec?
  • Exploitable PHP functions
• Are you building MySQL queries properly and not using direct queries?
• Are all sensitive or system specific settings treated as sensitive configuration?
  • DevDocs on sensitive configuration
• Are you adhering to the Magento Technical Guidelines when developing custom code?
  • Magento Technical Guidelines

Extension security checklist

• Do you have the latest version of all the extesions being used on the site?
  • Magento Vulnerable extensions
• Are all your extensions using Magento ACL properly to limit the scope of users?
  • (TODO: ACL tutorial)
• Did you perform a security audit on 3rd party extensions used on the store?
  • At the very least execute Extension Code Review against Magento Coding Standards
  • Review if Passwords/API Credentials or other Sensitive Data stored by 3rd Party Extension are not save in Database using plaintext!
  • (TODO: Link to more sample tools to help perform security audit on extensions)
• Review the need of using Magento_Swagger & Magento_Version Modules in Production Environment (consider to Disable those CORE Modules or at the very least restrict access to hostname/magento_version and hostname/swagger)

Magento Admin settings

• Are you using a custom Magento Admin URL?
• Is access to your Admin URL IP whitelisted or protected via VPN?
• Confirm that Web -> Default Cookie Settings -> Use HTTP Only is not disabled?
• Are you using 2FA for your admin login?
  • MageSpecialist TwoFactorAuth module
• Are there any old/unused admin users which were created for testing or development that should be removed?

Server settings

• Is your site logging information in a format that is easily reviewed by your team?
• Is your site logging any potentially sensitive information?
• Is you TLS certificate properly installed and your OpenSSL configuration set to high standards?
  • SSL Server Test
• Do you have notifications turned on for filesystem integrity?
• Disable Server Signature:
  • Nginx - server_tokens off;
  • Apache - ServerSignature Directive - ServerSignature Off
  • Apache - ServerTokens Directive - ServerTokens Prod
• Disable PHP Signature
  • Edit php.ini and set expose_php = Off
• Are there any (development) files or database dumps lying around in the production document root that are not intended for public useage (for example info.php, phpinfo.php, dbdump.sql.gz)?
• Does an unecessary .git folder or .gitignore file exist in your production filesystem?
• Do all your folders in your docroot have the appropriate permissions set? (for example var/logs, /var/report, install)?
• Have you analyzed your HTTP response headers for problems?
  • Analyse your HTTP response headers
• Unless you have specific requirements for them have you limited all requests to GET and PUT?

Regular Maintenance

• Do you have an Incident Response Plan implemented and tested (mock scenario)?
  • Magento Incidence Response Plan template
• Do you have a person with regular scheduled time to review log messages for suspicious behaviour?
  • What is your process for dealing with IP address that are attempted to directory bruteforcing?
• Do you have automated offsite backups for your site enabled?

Magento Core

• Does your site contain the latest security patches and updates?
  • Magereport community scanner
  • Magento security scanner
• Do you have a person with a subscription to security notices from Magento security blog for urgent patches/updates?
  • Magento Security center
• Do you have a recurring reminder to execute regularly review validity of existing Admin accounts?
  • Recommended monthly

External security concerns

• If you are using a Web Application Firewall (WAF) does it provide virtual patching and how do you keep it up to date?