Home
Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
Securing
These topics describe the security features of HCL Commerce and how to configure these features.
Site security considerations
To enhance the security of your HCL Commerce site, you can enable various features in Administration Console or in the HCL Commerce configuration file.
Enabling security with HTTP headers
You can use HTTP headers to pass security-oriented information between the server and client. Headers are available to prevent man-in-the-middle, cross-site scripting, content sniffing and clickjacking attacks.

Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
- Getting started
  HCL Commerce has different advantages for business users, administrators and developers. HCL Commerce targets each of these roles with a tailored set of offerings so that each of your users can get maximum benefit.
- Installing and deploying
  Learn how to install and deploy HCL Commerce development environments and HCL Commerce production environments.
- Migrating
  Before you migrate to HCL Commerce Version 9.1, review this information to help plan and execute your migration.
- Operating
  Topics in the Operating category highlight tasks that are typically performed by business users, customer support representatives, to complete their day-to-day tasks in the operation of the HCL Commerce site.
- Integrating
  Topics in the Integrating category highlight the tasks that are commonly performed for using HCL Commerce in combination with other products.
- Administering
  Topics in the Administering category highlight tasks that are typically performed by the Site Administrator, to support daily operations of the HCL Commerce site.
- Customizing
  The topics in the Customizing section describe tasks performed by an application developer to customize HCL Commerce.
- Tutorials
  HCL Commerce provides many tutorials to help you customize and understand your HCL Commerce instance and stores.
- Samples
  Topics in the Samples category highlight the various samples that are provided with HCL Commerce.
- Compliance
  The following section describes how you can leverage HCL Commerce features and functionality to help your site be compliant with different privacy and security standards.
- Securing
  These topics describe the security features of HCL Commerce and how to configure these features.
  - HCL Commerce security model
    Authentication is the process of verifying that users or applications are who they claim to be. In an HCL Commerce system, authentication is required for all users and applications that access the system, except for guest customers.
  - HCL Commerce authentication model
    The HCL Commerce authentication model is based on the following concepts: challenge mechanisms, authentication mechanisms and user registries.
  - Authorization
    HCL Commerce views access control or authorization as the process of verifying that users or applications have sufficient authority to access a resource. This section describes the details of several aspects of HCL Commerce access control.
  - Hardening site security checklist
    To harden the security of your HCL Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.
  - Site security considerations
    To enhance the security of your HCL Commerce site, you can enable various features in Administration Console or in the HCL Commerce configuration file.
    - Enabling password invalidation
      Password invalidation, when enabled, requires HCL Commerce users to change their password if the user's password is expired. In this case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they change their password.
    - Encrypting data
      This section contains information about the important steps involved when ensuring the security of your site. There are different encryption options available including information on Key Locator Framework, where you encrypt your data, how to change your session encryption keys and how to develop custom code using EncryptionFactory.
    - Configuring Transport Layer Security protocols
      Configure the latest Transport Layer Security (TLS) protocols for the transaction server to protect your site and comply with security standards. TLS 1.3 is the most secure protocol available, while TLS 1.2 is also considered a secure protocol.
    - Enabling security with HTTP headers
      You can use HTTP headers to pass security-oriented information between the server and client. Headers are available to prevent man-in-the-middle, cross-site scripting, content sniffing and clickjacking attacks.
      - Enabling the X-Frame-Options header
        You can configure the X-Frame-Options header settings to help you protect your site against clickjacking. Clickjacking is a technique that tricks a web user into clicking a malicious site, thinking that it is your site. This malicious site can then reveal confidential information or take control of the user's computer.
      - Enabling the X-Content-Type-Options header
        You can configure the X-Content-Type-Options header settings to help you block content sniffing. The default value indicates that the MIME types advertised in the Content-Type headers should not be changed and be followed.
      - Enabling the Strict-Transport-Security header
        Configuring the Strict-Transport-Security header strengthens your site's defense against man-in-the-middle (MITM) attacks. This header instructs browsers to enforce secure connections by automatically upgrading all HTTP access attempts to HTTPS and preventing the site from loading over unencrypted protocols.
      - Deprecated: Enabling the X-XSS-Protection header
        The X-XSS-Protection header is deprecated because most modern browsers (including Chrome, Edge, and Firefox) have removed built-in XSS filtering support. That makes this header ineffective and, in some cases, capable of introducing additional security vulnerabilities.
      - Enabling the Referrer-Policy header
        You can configure the Referrer-Policy header settings to control how much referrer information (sent via the Referer header) should be included with requests made from your site. This header helps protect user privacy by limiting the information leaked to external sites when users navigate away from your pages.
    - Enabling cross-site scripting protection
      When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default.
    - Enabling cross-site request forgery in Spring
      Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. HCL Commerce accepts this request as valid, as proper session cookies exist as part of the request.
    - Disabling cross-site scripting protection for the Management Center
      When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default, but you can disable it to match your security needs.
    - Enabling WhiteList data validation
      When enabled, WhiteList data validation ensures that when a URL command or view is run, the parameter values conform to a specified regular expression. For example, you can configure it so that the storeId must be an integer. When a WhiteList violation is detected, the request is changed to the ProhibCharEncodingErrorView view. WhiteList data validation is disabled by default.
    - Enabling cross-site request forgery protection in Struts
      Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. HCL Commerce accepts this request as valid, as proper session cookies exist as part of the request.
    - Enabling cross-site request forgery protection in REST
      Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.
    - Enabling URL redirect filtering
      When you enable URL redirect filtering, HCL Commerce rejects any requests that try to redirect to an unauthorized site. This feature is used to prevent phishing attacks where a link in an HCL Commerce site sends the shopper to another site.
    - Enabling access logging
      When enabled, the access logging feature logs either all incoming requests to the Transaction server or only the requests resulting in access violations. Examples of access violations are authentication failure or insufficient authority to execute a command. When enabled, access logging allows an HCL Commerce administrator to quickly identify security threats to the HCL Commerce system.
    - Enabling SSL for outbound web services
      You can enable SSL for web services by using the WebSphere Application Server administrative console for development and testing, and by using Run Engine commands for permanent configuration changes.
    - Encrypting data in custom code using EncryptionFactory
      EncryptionFactory is a factory class that initializes all of the encryption provider classes that are used at runtime for encrypting and decrypting data. All encryption providers must implement the com.ibm.commerce.foundation.common.util.encryption.EncryptionProvider interface.
    - Web server security considerations
      Be aware of the following security considerations for your web server and take the recommended actions to minimize any security exposure.
    - Troubleshooting OS vulnerabilities in Red Hat Enterprise Linux 8
      This guide provides steps to address OS-level vulnerabilities in Red Hat Enterprise Linux 8 by updating outdated system libraries during Docker image builds, ensuring a secure and up-to-date container environment.
    - Setting up account related policies
      For enhanced security of your site, ensure that you are aware and up to date on all account related policies.
    - Enabling password-protected commands
      When the password-protected commands feature is enabled, HCL Commerce requires registered users who are logged onto HCL Commerce to enter their password before continuing a request that runs designated HCL Commerce commands. When you configure password-protected commands, be aware of the consequences of specifying a command that can be run by generic and guest users. Configuring such commands as password-protected will prevent generic and guest customers from running them.
    - Configuring Reset Password to use long validation codes
      When a registered user requests a reset of a forgotten password, you can configure the Reset Password URL to send a randomly generated validation code instead of a temporary password. By default, this code can be up to 100 characters long.
    - Configuring Reset Password to use short validation codes
      When a customer requests a password change, you can configure the Reset Password function to email them a short, numeric validation code. Prior to HCL Commerce 9.1.7.0, the validation code was up to 100 characters long. You can still use the long-code validation code, however this approach is deprecated and will be discontinued in a future release.
    - Prevent privileged users from logging in externally
      The wc-server.xml file includes a customizable web server header. You can edit this header to control whether privileged users can log in to the store from external networks. This framework reduces the possibility of an external attack if an account with administrative level access, such as a customer service representative or site administrator, is compromised.
  - Session management
    Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, sessions must be managed between the browser side and the server side.
  - Quick reference to user IDs, passwords, and Web addresses
    Administration in the HCL Commerce environment requires a variety of user IDs. These user IDs along with their requisite authorities are described in the following list. For the HCL Commerce user IDs, the default passwords are identified.
  - Enabling WebSphere Application Server security
    You can enable WebSphere Application Server security, which includes two orthogonal components: WebSphere global security and Java 2 security.
- Performance
  Topics in the Performance section describe the means by which to plan, implement, test, and re-visit the optimization of HCL Commerce site performance.
- Troubleshooting
  Topics in the Troubleshooting section highlight common issues that are encountered with HCL Commerce, and how they can be addressed or mitigated.
- Reference
  Topics in the Reference section contain all of the HCL Commerce reference documentation.

Enabling security with HTTP headers

You can use HTTP headers to pass security-oriented information between the server and client. Headers are available to prevent man-in-the-middle, cross-site scripting, content sniffing and clickjacking attacks.

Headers configured via wc-component.xml are applied by the Transaction Server's HttpSecurityFilter servlet filter.

HCL Commerce Version 9.1.20.0 Content-Security-Policy and Permissions-Policy headers are now configured in the web server configuration instead of wc-component.xml.