PCI Hardening
PCI Compliance Hardening Extension
This extension has been created to improve on a number of small issues that raise their head if an OpenCart website is scanned with web vulnerability scanning software. Some of would be classed as false-positives whilst others could pose an issue.
It does not modify any theme files, so if a vulnerability exists within a theme (such as the AddThis alert below) then you will need to resolve the theme yourself.
The extension also comes with a new .htaccess file which you can choose to use to replace your default one. This hardens the headers for a number of files. Additionally (and this is a bonus) it includes a number of performance improvements for browser caching of files. Feel free to use the new one or just merge the changes.
Alerts you may get:
(LOW) Cookie set without HttpOnly flag - the language cookie is set within index.php and there is no way to vQMod this file to remove this alert. Risk-wise there isn't any, whatever value set is validated (not using SQL) by OpenCart.
(LOW) Password Autocomplete in browser on login and register pages - this would only be a PCI issue if you are storing PAN details. You can add ' autocomplete="off"' on the password boxes within your theme if you wish to.
(LOW) Cross-domain JavaScript source file inclusion - this error comes from the AddThis social media extension used by the default theme. Use inline social media links to remove the alert.
Also the /admin/ext/index.php will flag 3 header alerts. Again this file cannot be vQModded but the alerts are because the page is inaccessible.
Notes:
The language and currency cookies have been locked down so they are not editable by the client. If you access them using Javascript, this hardening will prevent that working.
DISCLAIMER
This extension does not provide PCI DSS Compliance for OpenCart. What it does is to reduce the number of false positive responses on the default OpenCart website and improves the chance of the website going through any automated vulnerability scans.
For PCI DSS Compliance to be achieved lots of different things need to be inplace and quite a few process documents need to exist. At a minimum you'll also need an SSL certificate (look at Trustico for reasonably priced ones) and your server needs to be appropriatly hardened.
This extension has been created to improve on a number of small issues that raise their head if an OpenCart website is scanned with web vulnerability scanning software. Some of would be classed as false-positives whilst others could pose an issue.
It does not modify any theme files, so if a vulnerability exists within a theme (such as the AddThis alert below) then you will need to resolve the theme yourself.
The extension also comes with a new .htaccess file which you can choose to use to replace your default one. This hardens the headers for a number of files. Additionally (and this is a bonus) it includes a number of performance improvements for browser caching of files. Feel free to use the new one or just merge the changes.
Alerts you may get:
(LOW) Cookie set without HttpOnly flag - the language cookie is set within index.php and there is no way to vQMod this file to remove this alert. Risk-wise there isn't any, whatever value set is validated (not using SQL) by OpenCart.
(LOW) Password Autocomplete in browser on login and register pages - this would only be a PCI issue if you are storing PAN details. You can add ' autocomplete="off"' on the password boxes within your theme if you wish to.
(LOW) Cross-domain JavaScript source file inclusion - this error comes from the AddThis social media extension used by the default theme. Use inline social media links to remove the alert.
Also the /admin/ext/index.php will flag 3 header alerts. Again this file cannot be vQModded but the alerts are because the page is inaccessible.
Notes:
The language and currency cookies have been locked down so they are not editable by the client. If you access them using Javascript, this hardening will prevent that working.
DISCLAIMER
This extension does not provide PCI DSS Compliance for OpenCart. What it does is to reduce the number of false positive responses on the default OpenCart website and improves the chance of the website going through any automated vulnerability scans.
For PCI DSS Compliance to be achieved lots of different things need to be inplace and quite a few process documents need to exist. At a minimum you'll also need an SSL certificate (look at Trustico for reasonably priced ones) and your server needs to be appropriatly hardened.
Price
$50.00
- Developed by OpenCart Community
- Documentation Included
Rating
Compatibility
1.5.6.4
Last Update
9 Jun 2015
Created
9 Jun 2015
0 Sales
0 Comments
Login and write down your comment.
Login my OpenCart Account