Magento 2 Security Features

Table of Content


Get over it, security should be part and parcel of any online business process. Being a merchant you know it firsthand, websites and e-commerce sites, in particular, are compromised 24/7 365 days a year.

Retail is predicted to be one of the top 10 most attacked industries for 2019–2022


Well, who’s next? Maybe you… Or do you honestly believe Magento 2 makes an exception? Unfortunately not.

As of 2020, there are more than 250,000 active eCommerce sites powered by Magento, this accounts for around 12% of all online stores


Magento has been one of the most prevalent platforms for years in comparison with other e-commerce solutions. The technical capabilities cover not only e-commerce startup needs, but the demands of larger businesses and retail giants.

The fact makes the platform a sweet spread for attackers. That’s the reason why we bring that up and tell you about Magento 2 native security features and basic security hacks.

Basic security hacks for Magento 2

Use security scan

Timely run Magento Security Scan sessions. This free tool will test your store for known security vulnerabilities and notify you of useful security patches. Find more information on the official page.

Also, check the security best practices on how to protect the environment and Magento and what signs can point to attack attempts.

Here you’ll find what settings you should take to protect your admin panel from malicious activities.

Use frontend/backend CAPTCHA and Google ReCAPTCHA

Starting with version 2.3+, Magento allows for setting up CAPTCHA for both front and back parts of your store to make sure a human takes an attempt to access your website. Find more information on how to set it up here.

Besides, Google re CAPTCHA is now available in Adobe Commerce. Google reCAPTCHA can provide enhanced security through a selection of different display options and methods. Find more information here

Use two-factor authentication

In version 2.3 the feature was disabled by default, in 2.4+ it is obligatory. The authentication is provided only for store admins and doesn’t extend to customers.

  1. To set up usage of Magento 2F authentication keys, go to Stores > Settings > Configuration.
  2. Under the Security tab, choose 2FA.
  3. Open the General section and select your Provider.
  4. Complete the settings of your provider according to the documentation.
  5. Save.

magento 2fa

Use strong passwords

  • Change the default admin URL key or to a custom one.
  • Use IP whitelist (only particular IP addresses can access your admin panel) or VPN services.
  • Change your passwords at least once every three months.
  • Give admin access to those users who really need it. Give access to only those admin tabs that are necessary for the work, configure admin roles. And never share one account with several users. Additionally, conducting a magento security audit can provide an extra layer of protection, ensuring that your e-commerce platform is safeguarded against potential vulnerabilities and threats.

Use advanced admin access permissions

In Magento 2 Commerce, you can set scopes based on the website/store view. Thus, a user will have permissions to see data related to a particular website/store view. Also, it logs admin users’ actions. 


With the mass migration to the new 2.4+ version and a large number of detected vulnerabilities, Magento Security Center regularly releases security patches and updates for basic admin configurations of which we’ll say here today.


Strong data encryption is one of the well-known Magento 2 security features. It is available for both Magento Commerce and Magento Open Source versions and centered around the usage of a strong encryption key to protect passwords and other vulnerable information.

All the sensitive information is enciphered with the AES-256 algorithm. This confidential data, which further requires decryption, includes credit card information, payment and shipping module passwords. As for the remaining information, it doesn’t require decryption and, therefore, is hashed with a strong SHA-256.

When installing Magento you can choose either to allow the platform generate an encryption key or type in your own one. This Magento Encryption Key tool permits you to set a key as you need it.

To improve your store security the key should be regularly changed, for instance, any time when the original key might be compromised. Once the encryption key is changed, all the confidential information will be re-enciphered all over again.


To change the encryption key, make sure that the following file is writable: [your store]/app/etc/env.php.

  • When logged into the Admin Panel, navigate to System > Other Settings > Manage Encryption Key;
  • Choose either to auto-generate the key or to use your own one;
  • For the first variant, set Auto-generate a Key to “Yes” and click the Change Encryption Key button;
  • To use a different key set Auto-generate a Key to “No”. Then in the New Key field, enter the key that you want to use and click the Change Encryption Key button.

Once that’s done, a new key is added. Please, keep a record of the new key in a safe place, as you may need to decrypt the data if any problems occur with your files.

→ See how to generate a Site/Secret Key


Magento 2 offers to validate session variables as a protective measure in Open Source against possible session attacks or attempts to poison/hijack user sessions.

This Magento 2 security feature determines how session variables are validated during each store visit, and if the session ID is included in the URL of the store. The validation checks to see that visitors are who they say they are by comparing the value of the validation variables against the session data that is already stored in $_SESSION data for the user.

Validation fails if the information is not transmitted as it was expected, and the corresponding variable is empty. If a session variable fails the validation process, then the client session immediately terminates.

Enabling all of the validation variables can help prevent attacks, but might also impact the performance of the server. By default, all session variables validation is disabled. So you need to experiment with the settings to find the best combination for your Magento installation. Activating all of the validation variables might prove to be too restrictive, and prevent access to customers who have Internet connections that pass through a proxy server, or that originate from behind a firewall.

If you’re using the default Magento 2 session storage, your session files will be located in the following directories:

  • <magento_root>/var/session
  • directory defined in the env.php file
  • directory configured in the php.ini file


Magento 2 has the following session types:

  1. Magento\Backend\Model\Session that is used for backend
  2. Magento\Catalog\Model\Session that is used for the catalog filters
  3. Magento\Checkout\Model\Session that is used for checkout
  4. Magento\Customer\Model\Session that is used for customer accounts
  5. Magento\Newsletter\Model\Session that is used for newsletter data.
  • Once logged into the Admin Panel, navigate to Stores>Settings>Configuration>General>Web>Session Validation Settings:


  • Choose how to set the next variables:
  • Set Validate REMOTE_ADDR to “Yes” if you want to verify that the IP address of a request matches what is stored in the $_SESSION variable;
  • Set Validate HTTP_VIA to “Yes” to verify that the proxy address of an incoming request matches what is stored in the $_SESSION variable;
  • Set Validate HTTP_X_FORWARDED_FOR to “Yes” if you want to verify that the forwarded-for address of a request matches what is stored in the $_SESSION variable;
  • Set Validate TTP_USER_AGENT to “Yes” to verify that the browser or device that is used to access the store during a session matches what is stored in the $_SESSION variable.
  • Set Use SID on Frontend to “Yes” if you want a user to stay logged in while switching between stores.

If you run SID with analytics, configure your analytics software to filter the SID from URLs, so the page visit counts are correct.

  • To remove sid from the URL of Magento 2, go to Store > Configuration > General > Web and open the Session Validation Settings section.
  • Set the Use SID on Storefront field to No.
  • Then re-index your Magento and refresh the cache and SID Magento 2 will be removed.


HTTP Cookie is a small packet of data sent from a web server to a user’s web browser to transfer data from one page to another. It is required since HTTP is a stateless protocol.

Due to security issues like the increasing incidents of cookie poisoning and thefts, a new secure cookie type was applied. The cookie is transmitted over an encrypted HTTP connection. When setting this type, the secure attribute dictates how the browser should be returned to the application (just over the encrypted connection).

However, the secure attribute doesn’t protect the cookie in the process of transmitting from the application to the browser. To protect the cookie completely, the HttpOnly and SameSite attributes should be also applied. The HttpOnly attribute protects cookies from being accessed by JavaScript whereas the SameSite attribute allows for sending cookies to the application only in case the request originates from the same domain. By default, Magento examines whether HTTPS is enabled and sets a security flag automatically.

Having come into force in 2018, the General Data Protection Regulation requires you to make the process of any personal data collection transparent, secure, and with the consent of users. We developed this GDPR extension to help you comply with the requirements and avoid any fines.
We also developed a separate LGPD extension to help merchants selling products in Brazil comply with the Brazilian General Data Protection Law that came into effect in August 2020.

To comply with the California Consumer Privacy Act, use this CCPA extension. It helps you to set up a data erasure routine, so that all necessary information for tax inspection is be stored for a set period of time. While a regular CCPA 90 days extension focuses on 90 days of data storage only, our module allows 180, 45, and 90 days periods.


If you want to apply HttpOnly flag, you can make it via the backend changing the default cookie settings.

  • Log in to the Admin Panel and navigate to Store>Settings>Configuration>General>Web>Default Cookie Settings:


  • Set the Use HTTP Only field to “Yes” if you need all cookies to include the HttpOnly directive.

Once the setting is enabled, all the HttpOnly cookies are not accessible for browsers and, therefore, are not to be stolen by XSS.


Precedents with CSRF (Cross Site Request Forgery or XSRF) were not rare in 2017 due to the smart utilization of common cross-platform vulnerabilities with security breaches in Magento 2. As a consequence, Magento DC-2017-04-003 advisory convinced merchants to use Add Secret Key to URLs configuration to stay protected against the CSRF attacks.

As long as the key is enabled in Magento 2 by default, many admin users underestimated the importance of its change and suffered from troublesome outcomes. In case an experienced attacker somehow receives your form key, a CSRF attack can be constructed in any form without the necessity of password confirmation.

One of the methods utilizable by attackers is parsing the administrative dashboard page for secret keys to other pages until they eventually find a needed one. Frequently, hackers force the execution of any actions on the vulnerable site on behalf of a victim: changing the password, the secret question for password recovery, email, etc.

However, such security features as the additional token is applied by the platform developers to protect against such attacks. It means that a randomly generated 16-character alphanumeric string used as a form_key parameter is utilized as an additional CSRF token within all forms in the Admin Panel.

ordinary URL fragment:
URL fragment with salt (16-character alphanumeric string):

The additional token is automatically generated along with any form where the information is sent and after the form is submitted. Magento 2 platform checks for a match between the token submitted and that which is stored within the session.

If the results coincide, the user for which the form has been generated and the user that has submitted the form are the same. If the forms do not coincide, it is not further processed and no information can be changed by an attacker.


XSS vulnerability, which can be found in any web application, is usually utilized by attackers to inject malicious code into a web page visited by users. The main XSS vulnerability types include:

  • Persisted XSS: the unvalidated data is received from the Database or Backend permanent store;
  • Non-persistent XSS: the data provided by a web client is utilized by server-side scripts to parse and display a page to a user without deeper verification;
  • DOM XSS: the malicious data is reflected by the JavaScript code on the client side without any iteration with the web server.

Therefore, Magento 2 extension developers should avoid introducing the vulnerabilities in the codes.


Verification and clean-up of both user input and output should be held to prevent a malicious code from the storage and execution. You need to sanitize strings that could come from external data sources before sending it to the browser and further rendered with templates. For more information about templates XSS security, see here.
Besides, now Magento offers Escaper class for avoiding HTML output. It performs the following handy functions:

  • escapeHtml() function is applied for avoiding string inside HTML content;
  • escapeHtmlAttr() function is used for averting strings in HTML tag attributes;
  • escapeCss() function allows for escaping strings inside a CSS context;
  • escapeJs() function is utilized for escaping strings inside a JavaScript context;
  • and escapeUrl() function is applicable for avoiding strings, which are to be utilized in a URL.


While working shoulder to shoulder with our clients we are no strangers to the problem. We have to say all the security features enumerated in the post are basic protective measures built in Magento 2.

However, all the add-ons installed on your platform should be lacking breaches, check the vendors you buy your extensions from.

Following the latest cybersecurity news, we continue offering security patches installation service. We do everything possible to safeguard clients and ourselves.

Have any ideas or hacks? Just drop us a line below.

That’s a wrap for today!

P.S. This post was delivered to you by Amasty Team Lead of Support, Kira Kharevich, and ex-Amasty Magento Developer, Eugene Shevchuk.

August 21, 2020
September 2, 2020
August 14, 2020
December 17, 2018
Magento 2.3 has fixed over 30 security issues. It also includes two-factor authentication and Google reCAPTCHA which makes the Magento store more secure.
Alina Bragina
March 15, 2019
Hi Codiar, thanks for reading the post and making such a useful contribution!
Leave your comment

Your email address will not be published

This blog was created with Amasty Blog Pro

This blog was created with Amasty Blog Pro