Hardening site security checklist
To harden the security of your WebSphere Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.
This is not an all-inclusive list of security measures for your site. This list is designed primarily to facilitate navigation of the WebSphere Commerce security section of the IBM Knowledge Center, and to highlight security considerations for WebSphere Commerce customizations and the secure configuration of other IBM products. Further security hardening might be required to ensure the security of your site. For more information about security standards, see Security Standards.
Development
This list is provided for the purposes of development. Ensure that your site customizations conform to the best practices laid out in the following topics:Configuration
- Protect your merchant and payment keys by using the Key Locator Framework (KLF).
- Ensure that login timeouts are enabled for user sessions based on cookies. To enable login timeouts, see Enabling login timeout for a cookie-based session. This is even more critical if you have enabled multiple logon support.
- Reduce the risk to session cookies by enabling httpOnly mode. For instructions on how to enable httpOnly mode, see Enabling httpOnly for session cookies.
- Enable whitelist data validation for store URLs and REST calls to disallow non-conforming parameters. For information on whitelist filtering, see Enabling WhiteList data validation.
- Ensure that cross-site scripting protection remains enabled. To ensure that this feature is enabled, see Enabling cross-site scripting protection.
- Secure your WebSphere Commerce search server from unauthorized access. For instructions on securing your search server, see Securing the WebSphere Commerce search server.
- Upgrade your database encryption to a stronger standard to reduce the chance of a successful brute force attack. For instructions on upgrading your database encryption, see Migrating from Triple DES to AES-128 encryption.
- Implement business object thresholds to reduce the threat of denial of service attacks. For instructions on implementing business object thresholds, see Business Object thresholds.
- Secure the Dynamic Cache Monitor from unauthorized access. For information on securing the Dynamic Cache Monitor, see Configuring security for the Dynamic Cache Monitor.
- Use the updateua utility to assign and restrict database permissions for essential control only. For more information about the updateua utility, see Update user authorization utility.
- Ensure that password complexity rules and account lockout policies are in place. See, Setting up a password policy, and Setting up an account lockout policy.
Maintenance and operations
This list is provided for the purposes of site administration on an ongoing basis. Timely review and application of security and maintenance patches ensures that you are aware of ongoing security issues, and that your site is up-to-date and hardened against attacks that would otherwise succeed:- Subscribe to WebSphere Commerce security bulletins, and review all published security bulletins. For more information, see Security bulletins.
- Ensure that you keep your product up to date with the latest cumulative interim fix. In
addition, review and install all additional APAR interim fixes in a timely fashion. Pay particular
attention to security-related APARs.
- For fix pack interim fixes, see List of additional fix pack APAR fixes.
- For feature pack interim fixes, see List of additional feature pack APAR fixes.
- Test your site thoroughly, and on an ongoing basis. Pay particular attention to any site customizations. Remember: Security is an ongoing process, not a product, or task that is ever complete.
- Implement an encryption key rotation schedule, and ensure that the process is secure. This process reduces the chance of a successful brute force attack, and mitigates the potential outcomes of a compromised key. For information on how to change your encryption key, see MigrateEncryptedInfo utility.
- Use the -passwordFile parameter for all command-line utilities that have such a parameter to limit the exposure of plain text passwords.
Other software
- Find flashes, alerts, and bulletins, and download fixes for all IBM products on the IBM Support Portal. See, IBM Support Portal.
- Subscribe to receive critical product updates for any IBM product through email or RSS. See, Critical IBM software support updates.
Review the following documentation for each piece of software that you use for more security recommendations: