Skip to main content

Security is one of the main concerns of any online merchant. Unfortunately, the number of cyberattacks is skyrocketing, and there’s no eCommerce platform, including Magento | Adobe Commerce, that can provide you with 100 % security against hackers. However, Magento | Adobe Commerce has a solid default security functionality that can help you to minimize the possible risks. Today, I’ll tell you about native Magento security features and how to configure/edit them.

Default Magento | Adobe Commerce Security Features

Two-Factor Authentication 

Magento | Adobe Commerce Admin area provides access to your store, orders, and customer data. To protect all this data from unauthorized access, you can enable two-factor authentication. 2FA isn’t available for customer accounts. By default, Magento 2 supports four force providers to be used by all users: 

  • Google Authenticator 
  • Duo Security 
  • Authy
  • U2F

Let’s take a look at how to configure all of them. 

  1. Admin Sidebar > Stores > Configuration > Security > 2FA. 
  2. General > Select a provider to use (if you want to select multiple providers, hold down the Ctrl key).
  3. Save Config.

Google Authenticator. If you want to change how long the on-time password is available, clear the Use system value checkbox and enter the number of seconds you want the OTP Window to be valid. 

Duo Security. Enter the following credentials from your Duo Security account:

  • Integration key
  • Secret key
  • API hostname

Authy

  1. Enter the API key from your Authy account.
  2. If you want to change the default message that appears during authentication, clear the Use system value checkbox and enter the OneTouch Message you want to appear.

U2F Devices (Yubikey and others). If you want to use a custom domain rather than the default one, clear the Use system value checkbox and enter the WebApi Challenge Domain.

 

Data Encryption

Advanced data encryption is one of the best Magento | Adobe Commerce security features. The platform uses the AES-256 algorithm to encrypt all sensitive data like credit card information, payment and shipping module passwords, etc. Besides, Magento | Adobe Commerce uses the SHA-256 algorithm to hash all data that does not require decryption. Data encryption is available in both free and paid Magento | Adobe Commerce versions. 

When you install Magento | Adobe Commerce, you can allow the platform to generate an encryption key or set your key using Magento Encryption Key Tool. If you want your store to be secured, you should regularly change the encryption key. When you change this key, the platform re-encrypts all the confidential data all over again. 

How to Change the Original Encryption Key

  1. Make sure that the file [your store]/app/etc/env.php. is writable.
  2. Admin Panel > System > Other Settings > Manage Encryption Key.
  3. Choose between auto-generation or using your own key.

a) If you want the new key to be auto-generated, set Auto-generate a Key to Yes and click the Change Encryption Key button.

b)If you want to use a different key, set Auto-generate a Key to No. Then, enter the key you want to use in the New Key field. Click the Change Encryption Key button. 

How to Generate a Site Key and a Secret Key

  1. Visit the Google reCAPTCHA page to enter the registration form.
  2. Set the name.
  3. Select the Invisible reCAPTCHA option.
  4. Define the domain of your website.reCAPTCHA-Configuration-768x592-1 Default Magento 2 Security Features You Should Use
  5. Tick the Terms of use checkbox.
  6. Press the Submit button.
  7. Copy Site and Secret keys.

 

reCAPTCHA-Magento-2-768x370-1 Default Magento 2 Security Features You Should UseFrontend/Backend CAPTCHA 

As you know, CAPTCHA is a test that determines whether a human being or a bot interacting with a website. In Magento | Adobe Commerce you can add CAPTCHA both for customers and admins.

Admin CAPTCHA

  1. Admin Sidebar > Stores > Configuration.
  2. Set scope to Default.
  3. Left panel > Advanced > Admin > CAPTCHA.
  4. Set Enable CAPTCHA in Admin to Yes.
  5. Complete the fields using the example below.
  6. Save Config.

Storefront CAPTCHA

  1. Admin Sidebar > Stores > Configuration.
  2. Left panel > Customers > Customer Configuration.
  3. Set Enable CAPTCHA on storefront to Yes. 
  4. Complete the fields using the example below.
  5. Save Config

 

Session Validation 

This Magento | Adobe Commerce security feature offers to validate session variables against possible session attacks and hijacks. The validation checks to see that visitors are who they say they are by comparing the value in the validation variables against the session data that is already stored in $_SESSION data for the user. If a session variable fails the validation, the client session immediately terminates

By default, all session variables validation is disabled. There are no doubts that if you enable all of the validation variables it will help to prevent session attacks. However, it may also badly impact your server environment. That’s why you need to test different combinations of the validation variables to find the most suitable one for your Magento | Adobe Commerce installation.

How to Change Magento | Adobe Commerce Session Validation Settings

  1. Admin Panel > Stores > Configuration > General > Web > Session > Session Validation Settings.
  2. Configure the needed variables: 
  • Set Validate REMOTE_ADDR to Yes if you want to verify that the IP address of a request matches what is stored in the $_SESSION variable;
  • Set Validate HTTP_VIA to Yes to verify that the proxy address of an incoming request matches what is stored in the $_SESSION variable;
  • Set Validate HTTP_X_FORWARDED_FOR to Yes if you want to verify that the forwarded-for address of a request matches what is stored in the $_SESSION variable;
  • Set Validate TTP_USER_AGENT to Yes to verify that the browser or device that is used to access the store during a session matches what is stored in the $_SESSION variable.

Cookies Configuration 

General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require online merchants to make the process of collecting customer personal data secure, transparent, and with customer consent. To protect cookies from thefts, you should apply the HttpOnly attribute, which protects cookies from being accessed by JavaScript. By default, Magento examines whether HTTPS is enabled and sets a security flag automatically. 

You can apply the HttpOnly flag via your admin panel, changing the default cookie settings:

1. Admin Panel > Stores > Configuration > General > Web > Default Cookie Settings > Set the Use HTTP Only field to Yes

HttpOnly-Flag-Cookies-Magento-2-768x245-1 Default Magento 2 Security Features You Should Use

Check our guide on How to Configure and Edit Cookies in Magento | Adobe Commerce.

Vladimir Repalo

Vladimir Repalo

Magento Developer at Mobecls, 8+ years of experience. Feel free to ask me anything about this post in the comments below.