Being an e-commerce platform, PrestaShop is at constant risk of getting hacked. This fact is further validated by the recent rise in the number of attacks on PrestaShop stores. It is worth noting here that online stores usually store sensitive data like the payment information of their customers. While setting up PrestaShop is quite easy, much caution is needed to keep it secure. This is the reason that many owners add security headers in their PrestaShop stores. Security headers are an integral part of website security. Upon implementation, they secure your PrestaShop store from various types of malicious attacks. Notably, these headers can fend off attacks from code injections, XSS, clickjacking, etc.
Brief Overview of Security Headers
Technically, security headers are simply fields that are encoded in clear text. They are also part of the HTTP request and response message header. When a user visits your PrestaShop store, the servers usually respond with HTTP response headers. In simple words, these headers tell the browser how to behave during communication with the PrestaShop store. These security headers mainly comprise Meta data and can be used to outline communication and improve web security.
Nowadays, there exists an array of security headers with the help of which you can protect your PrestaShop store. For instance, let’s take the example of Content Security Policy Header.
The HTTP CSP response header provides website admin a sense of control. It gives them the authority to restrict the resources a user is permitted to load within a site. In other words, with the help of this header, you can whitelist the content sources of your site.
It’s done by adding this code in the .htaccess file.
**# Extra Security Headers <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;" Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload </IfModule>**
Problems associated with adding security headers via traditional methods
PrestaShop owners usually rely on security headers to increase the overall security of their online stores. Once configured, these security headers can prohibit browsers from interacting with malicious sites. However, the traditional way of adding security headers have many problems associated with them. We have made a list of drawbacks associated with adding security headers via traditional methods.
- The PrestaShop can be hosted on NGinx, IIS, and Apache. Each of these servers needs different configuration tweaks to get the same thing done. Well, you can document the recommendations for each server. Clearly, this procedure is more complex.
- Moreover, tweaking web server configurations and PrestaShop cloud hosting configurations is not that simple. As a result, the security headers are not properly installed which makes the store more prone to attacks.
- The vulnerability scans when executed provided bad scores to the PrestaShop stores because of missing security headers
Store Fixer Module As a Soultion
Fortunately, there is an easier and convenient method available – the Store Fixer module.
Store Fixer is a comprehensive security module which facilitates compulsory security tools to stop spammers. It also guards against content sniffing. When compared to the traditional methods of adding security headers, this add-on module from Astra makes adding security headers plug and play. It fortifies your store as it has features like IP blocking, ReCaptcha, security headers and content protection. The security headers secure your PrestaShop store from XSS, content –sniffing and clickjacking attacks.
This module adds PrestaShop security headers with a click. This module not only saves you time but also the effort to edit files. Now, you just have to install the module and follow these steps:
This module not only saves you time but also the effort to edit files. Just follow these steps to install the module:
- Download the compressed file and upload it to PrestaShop admin
- Subsequently, click on the “store security” menu
- If you want to use geolocation, download the file from the notification panel by going to the IP blocking page. After downloading, place it to the modules/storefixer/vendor/geoip2/ directory
The security headers of this module provides your PrestaShop store with XSS protection, Content Sniffing Protection, Clickjacking protection and HTTP only secure flags. In short, you can rely on this module from Astra to keep your store safe.
Not just this, this module also facilitates other security functions for you such as – CAPTCHA, Content Security, IP blocking.
Bonus .htaccess techniques to augment your site’s security
However, if you wish to add security headers by yourself, you can follow these .htaccess techniques to add different security headers to your store.
- Protect against clickjacking
This can be done by adding this directive to your site’s .htaccess file.
# X-Frame-Options <IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule>
- Protect against content-sniffing
The following directive can be added as an X-security header to secure your site from content sniffing.
# X-Content-Type nosniff <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule>
- Protection from XSS attacks
While adding the following directive, there is no need of any modifications. Most modern web browsers understand this header.
# X-XSS-Protection <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
I hope this post helped you in configuring security headers to your PrestaShop store. If you have any security questions, asks us in the chat box, we’ll be happy to answer 🙂