Get over it, security should be part and parcel of any online business process. Being a merchant you know it firsthand, websites and e-commerce sites, in particular, are compromised 24/7 365 days a year.

Referring to the latest Foregenix survey, 47K out of 60K e-commerce websites are lack of critical security patches from which more than 3K were hacked in 2017 and missed sensitive customer data. Well, who’s next? Maybe you… Or do you honestly believe Magento 2 makes an exception? Unfortunately not.

Magento has been one of the most prevalent platforms for years in comparison with other e-commerce solutions. The technical capabilities cover not only e-commerce startup needs, but the demands of larger businesses and retail giants.

The fact makes the platform a sweet spread for attackers. That’s the reason why we have decided to bring that up and tell you about Magento 2 native security features.

5 Magento 2 security features

With the mass migration to the new version and a large number of detected vulnerabilities, Magento Security Center regularly releases security patches and updates for basic admin configurations of which we’ll say here today.

The major built-in protective configurations presented below can be utilized by anyone who runs Magento 2 for security needs:

#1 Strong data encryption

Strong data encryption is one of the well-known Magento 2 security features. It is available for both Magento Commerce and Magento Open Source versions and centered around the usage of a strong encryption key to protect passwords and other vulnerable information.

All the sensitive information is enciphered with the AES-256 algorithm. This confidential data, which further requires decryption, includes credit card information, payment and shipping module passwords. As for the remaining information, it doesn’t require decryption and, therefore, is hashed with a strong SHA-256.

When installing Magento you can choose either to allow the platform generate an encryption key or type in your own one. This Magento Encryption Key tool permits you to set a key as you need it.

To improve your store security the key should be regularly changed, for instance, any time when the original key might be compromised. Once the encryption key is changed, all the confidential information will be re-enciphered all over again.

How to change the original encryption key for Magento 2 security?

To change the encryption key, make sure that the following file is writable: [your store]/app/etc/env.php.

  • When logged into the Admin Panel, navigate to System>Other Settings>Manage Encryption Key:


  • Choose either to auto-generate the key or to use your own one;
  • For the first variant, set Auto-generate a Key to “Yes” and click the Change Encryption Key button;
  • To use a different key set Auto-generate a Key to “No”. Then in the New Key field, enter the key that you want to use and click the Change Encryption Key button.

Once that’s done, a new key is added. Please, keep a record of the new key in a safe place, as you may need to decrypt the data if any problems occur with your files.

#2 Session Validation

Magento 2 offers to validate session variables as a protective measure in Open Source against possible session attacks or attempts to poison/ hijack user sessions.

This Magento 2 security feature determines how session variables are validated during each store visit, and if the session ID is included in the URL of the store. The validation checks to see that visitors are who they say they are by comparing the value of the validation variables against the session data that is already stored in $_SESSION data for the user.

Validation fails if the information is not transmitted as it was expected, and the corresponding variable is empty. If a session variable fails the validation process, then the client session immediately terminates.

Enabling all of the validation variables can help prevent attacks, but might also impact the performance of the server. By default, all session variables validation is disabled. So you need to experiment with the settings to find the best combination for your Magento installation. Activating all of the validation variables might prove to be too restrictive, and prevent access to customers who have Internet connections that pass through a proxy server, or that originate from behind a firewall.

How to change Session Validation Settings in Magento 2?

  • Once logged into the Admin Panel, navigate to Stores>Settings>Configuration>General>Web>Session Validation Settings:


  • Choose how to set the next variables:

  • Set Validate REMOTE_ADDR to “Yes” if you want to verify that the IP address of a request matches what is stored in the $_SESSION variable;
  • Set Validate HTTP_VIA to “Yes” to verify that the proxy address of an incoming request matches what is stored in the $_SESSION variable;
  • Set Validate HTTP_X_FORWARDED_FOR to “Yes” if you want to verify that the forwarded-for address of a request matches what is stored in the $_SESSION variable;
  • Set Validate TTP_USER_AGENT to “Yes” to verify that the browser or device that is used to access the store during a session matches what is stored in the $_SESSION variable.
  • Set Use SID on Frontend to “Yes” if you want a user to stay logged in while switching between stores.

If you run SID with analytics, configure your analytics software to filter the SID from URLs, so the page visit counts are correct.

#3 Cookie Validation

HTTP Cookie is a small packet of data sent from a web server to a user’s web browser to transfer data from one page to another. It is required since HTTP is a stateless protocol.

Due to security issues like the increasing incidents with cookie poisoning and thefts, a new secure cookie type is being applied today. The cookie is transmitted over an encrypted HTTP connection. When setting this type, the secure attribute dictates how the browser should be returned to the application (just over the encrypted connection).

However, the secure attribute doesn’t protect the cookie in the process of transmitting from the application to the browser. To protect the cookie completely, the HttpOnly and SameSite attributes should be also applied. The HttpOnly attribute protects cookies from being accessed by JavaScript where the SameSite attribute allows for sending cookies to the application only in case the request originates from the same domain. By default, Magento examines whether HTTPS is enabled and set security flag automatically.

How to enable HttpOnly flag for cookie in Magento 2?

If you want to apply HttpOnly flag, you can make it via the backend changing the default cookie settings.

  • Log in to the Admin Panel and navigate to Store>Settings>Configuration>General>Web>Default Cookie Settings:


  • Set the Use HTTP Only field to “Yes” if you need all cookies to include the HttpOnly directive.

Once the setting is enabled, all the HttpOnly cookies are not accessible for browsers and, therefore, are not to be stolen by XSS.

#4 CSRF protection

Precedents with CSRF (Cross Site Request Forgery or XSRF) were not rare in 2017 due to the smart utilization of common cross-platform vulnerabilities with security breaches in Magento 2. As a consequence, Magento DC-2017-04-003 advisory convinced merchants to use Add Secret Key to URLs configuration to stay protected against the CSRF attacks.

As long as the key is enabled in Magento 2 by default, many admin users underestimated the importance of its change and suffered from troublesome outcomes. In case an experienced attacker somehow receives your form key, a CSRF attack can be constructed in any form without the necessity in password confirmation.

One of the methods utilizable by attackers is parsing the administrative dashboard page for secret keys to other pages until they eventually find a needed one. Frequently, hackers force the execution of any actions on the vulnerable site on behalf of a victim: changing the password, the secret question for password recovery, email, etc.

However, such security feature as the additional token is applied by the platform developers to protect against such attacks. It means that a randomly generated 16-character alphanumeric string used as a form_key parameter is utilized as an additional CSRF token within all forms in the Admin Panel.

ordinary URL fragment:
URL fragment with salt (16-character alphanumeric string):

The additional token is automatically generated along with any form where the information is sent and after the form is submitted. Magento 2 platform checks for a match between the token submitted and that which is stored within the session.

If the results coincide, the user for which the form has been generated and the user that has submitted the form are the same. If the forms do not coincide, it is not further processed and no information can be changed by an attacker.

#5 XSS protection

XSS vulnerability, which can be found in any web application, is usually utilized by attackers to inject malicious code into a web page visited by users. The main XSS vulnerability types include:

  • Persisted XSS: the unvalidated data is received from the Database or Backend permanent store;
  • Non-persistent XSS: the data provided by a web client is utilized by server-side scripts to parse and display a page to a user without deeper verification;
  • DOM XSS: the malicious data is reflected by the JavaScript code on the client side without any iteration with the web server.

Therefore, Magento 2 extension developers should avoid introducing the vulnerabilities in the codes.

How to prevent XSS in Magento 2?

Verification and clean-up of both user input and output should be held to prevent a malicious code from the storage and execution. You need to sanitize strings that could come from external data sources before sending it to the browser and further rendered with templates. For more information about templates XSS security, see here.
Besides, now Magento offers Escaper class for avoiding HTML output. It performs the following handy functions:

  • escapeHtml() function is applied for avoiding string inside HTML content;
  • escapeHtmlAttr() function is used for averting strings in HTML tag attributes;
  • escapeCss() function allows for escaping strings inside a CSS context;
  • escapeJs() function is utilized for escaping strings inside a JavaScript context;
  • and escapeUrl() function is applicable for avoiding strings, which are to be utilized in a URL.


Want to know the best part?

While working shoulder to shoulder with our clients we are no strangers to the problem. We have to say all the security features enumerated in the post are basic protective measures built in Magento 2.

However, all the add-ons installed on your platform should be lack of breaches and strong enough too. Good news: you may check the extensions in use right now by reading our security post.

Following the latest cybersecurity news, we continue offering security patches installation services and developing extensions such as a security suit. We do everything possible to safeguard clients and ourselves.

Have any ideas or hacks? Just drop us a line below.

That’s wrap for today!

This post was delivered to you by Amasty Support Manager Kira Kharevich and Amasty Magento Developer Eugene Shevchuk.