Security Guide

A list of steps you need to implement to keep your store secure.

Olga Tereshina avatar
Written by Olga Tereshina
Updated over a week ago

Proper X-Cart store security set-up will minimize the threat of fraud and instill trust within your customer base.

Step 1. Secure Server Configuration

First of all, ensure the server X-cart is installed at is configured securely. The best option is to host X-Cart at a PCI compliant server that deploys regular PCI scans to prevent security threats.

Step 2. Use SSL Certificates

Make sure the server X-Cart is hosted at has an SSL (Secure Sockets Layer) Certificate installed. This will allow you to run your store in a secure HTTPS mode (can be enabled in the System tools -> HTTPS settings section).

541-https-settings.png

SSL certificates secure the data in transit during checkout. This keeps your company and your customers protected from having financial or important information compromised by hackers. More information on how to redirect customers from HTTP to HTTPS you can get here.


Enabling HTTPS protocol for X-Cart if HTTPS is not properly configured on your server may break access to X-Cart’s Admin interface. If this is your case, see Inaccessible Admin Area after Enabling HTTPS.


Step 3. Keep the Software Up-To-Date

Update your X-Cart software regularly. Automatic updates should be standard practice to add new features to the store, update existing ones, and prevent new vulnerabilities to viruses and malware.

Step 4. Limit Staff Access to the Store Back End

X-Cart allows to set special user access permissions for different staff members depending on the roles they are performing in your store. Ensure each staff member has his personal account in your store and does not use the main root admin account.

Besides that, X-Cart has a special brut force protection built-in for both admin and customer login. In case of 6 failed login attempts (wrong password for a username), the login form is automatically blocked for 2 minutes. Each failed attempt to log in with an admin e-mail is registered, and a special notification about it is sent to the administrator email specified in the store Contacts (Store setup -> Store profile):

541-store-profile-contacts.png

For more protection, use the built-in add-on Two Factor Authentication that enables a double-step verification for both admin and customer accounts.

Step 5. Make Sure Your Store Has Multi-Layered Security

Credit card fraud is the most common security threat that online retailers face. To avoid it and minimize the possibility of fraud orders and accounts use:

  1. PCI-DSS certified payment solutions

    X-Cart doesn’t store credit card data info to avoid unauthorized access to customers’ payment information and is integrated with certified payment solutions only. So choose any online payment system that is PCI-DSS compliant and processes transactions securely. You can use alternative payment solutions via a special PCI-DSS certified addon - X-Payments.

  2. Anti-fraud protection

    X-Cart has built-in antifraud protection via the add-on AntiFraud Service Connector. The add-on helps to identify online fraud using sophisticated checking algorithms and reduces chargebacks.

    As an additional means of protection, do not allow anonymous checkout. You can engage customers in registering an account with your store using the add-on Register On Checkout.

  3. Address Verification System (AVS)

    One of the safest ways online retailers can facilitate credit card processing is using an Address Verification System (AVS). This system can compare a customer’s billing address against the information stored on file by a credit card issuer. It can block any suspicious transactions if the information provided doesn’t match the one stored on the credit card. AVS is widely supported by Visa, MasterCard, and American Express in the USA, Canada, and the United Kingdom and is used by, e.g., UPS, U.S.P.S., Canada Post, 2Checkout, Braintree, etc.

  4. Anti-bot protection

    Use the add-on Google reCAPTCHA to protect your shop from robots creating fake user accounts and sending SPAM through your site.

    For more security, use the add-on Block Users by IP / Country / User-agent that will protect your store from bots and fraud customers by limiting or completely restricting access to it with the help of flexible settings and filters, taking into account IP, address, and user behavior.

Step 6. Protect X-Cart from XSS and CSRF Attacks

To protect X-Cart from XSS and CSRF attacks, configure the etc/config.php file to return special headers. For this purpose, find the following parts of code in the etc/config.php file and set the appropriate value depending on the case. The values definition you can find following the help links.

; X-Frame-Options value 
; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
; Examples:
; x_frame_options = ‘disabled’
; x_frame_options = ‘sameorigin’

; X-XSS-Protection value 
; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
; Examples:
; x_xss_protection = ‘disabled’ # prevent X-XSS-Protection header sending
; x_xss_protection = ‘0’
; x_xss_protection = ‘1; mode=block’

; Content-Security-Policy value 
; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
; Examples:
; content_security_policy = ‘disabled’ # prevent Content-Security-Policy header sending
; content_security_policy = “default-src ‘self’”
; content_security_policy = “default-src ‘self’; img-src *;” content_security_policy = ‘disabled’

; X-Content-Type-Options value 
; For possible values see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
; Examples:
; x_content_type_options = ‘disabled’ # prevent X-Content-Type-Options header sending
; x_content_type_options = ‘nosniff’

To protect from CSRF attacks, X-Cart uses a special form id that can be unique for each form (per-form) or the same for one session (per-session). The default setting is “per-session.”

; CSRF token strategy 
; possible values: per-session, per-form
csrf_strategy = per-session
Did this answer your question?