CMS

How To Setup Security Headers On Your PrestaShop Store – Prevent XSS, Clickjacking, Content Sniffing & More?

Updated on: July 8, 2020

How To Setup Security Headers On Your PrestaShop Store – Prevent XSS, Clickjacking, Content Sniffing & More?

Being an e-commerce platform, PrestaShop is at constant risk of getting hacked. This fact is further validated by the recent rise in the number of attacks on PrestaShop stores. While setting up PrestaShop is quite easy, much caution is needed to keep it secure. This is the reason that many owners add security headers in their PrestaShop stores. Security headers are an integral part of a website’s security. Upon implementation, they secure your PrestaShop store from various types of malicious attacks. Notably, these headers can fend off attacks like code injections, XSS, clickjacking, etc.

Brief Overview of Security Headers

Technically, security headers are simply fields that are encoded in clear text. They are also part of the HTTP request and response message header. When a user visits your PrestaShop store, the servers usually respond with HTTP response headers. In simple words, these headers tell the browser how to behave during communication with the PrestaShop store. These security headers mainly comprise Metadata and can be used to outline communication and improve web security.

Nowadays, there exists an array of security headers with the help of which you can protect your PrestaShop store. For instance, let’s take the example of Content Security Policy Header.

The HTTP CSP response header provides website admin a sense of control. It gives them the authority to restrict the resources a user is permitted to load within a site. In other words, with the help of this header, you can whitelist the content sources of your site.

It’s done by adding this code in the .htaccess file.

**# Extra Security Headers
<IfModule mod_headers.c>
   Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;"
   Header set X-XSS-Protection "1; mode=block"
   Header always append X-Frame-Options SAMEORIGIN
   Header set X-Content-Type-Options nosniff
   Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
</IfModule>**

Problems associated with adding Security Headers via traditional methods

The traditional way of adding security headers have many problems associated with them. We have made a list of drawbacks associated with adding security headers via traditional methods.

  • The PrestaShop can be hosted on NGinx, IIS, and Apache. Each of these servers needs different configuration tweaks to get the same thing done. Well, you can document the recommendations for each server. Clearly, this procedure is more complex.
  • Moreover, tweaking web server configurations and PrestaShop cloud hosting configurations is not that simple. As a result, the security headers are not properly installed which makes the store more prone to attacks.
  • The vulnerability scans when executed provided bad scores to the PrestaShop stores because of missing security headers

Store Fixer Module As a Soultion

Fortunately, there is an easier and convenient method available – the Store Fixer module.

Store Fixer is a comprehensive security module that facilitates compulsory security tools to stop spammers. Besides adding Security Headers to your store, it also simplifies adding ReCAPTCHA, Content Security, and IP blocking to your store.

When compared to the traditional methods of adding security headers, this add-on module from Astra makes adding security headers plug and play.

This module not only saves you time but also the effort to edit files. To add Security Headers on your store, you just have to install the module and follow these steps:

  • Download the compressed file of the module and upload it to the PrestaShop modules section.
  • Once the module is configured, click on the Store Security>>Security Headers menu. It will open the following window.
Security Headers by Store Fixer
  • Now, enable the settings from the menu and hit SAVE. Security Headers will get active on your store.
Different Security Headers you can set by Store Fixer

The security headers of this module provides your PrestaShop store with XSS protection, Content Sniffing Protection, Clickjacking protection, and HTTP only secure flags. In short, you can rely on this module from Astra to keep your store safe.

Bonus: .htaccess techniques to add Security Headers

However, if you wish to add security headers by yourself, you can follow these .htaccess techniques to add different security headers to your store.

  • Protect against clickjacking

This can be done by adding this directive to your site’s .htaccess file.

# X-Frame-Options
<IfModule mod_headers.c>
	Header always append X-Frame-Options SAMEORIGIN
</IfModule>
  • Protect against content-sniffing

The following directive can be added as an X-security header to secure your site from content sniffing.

# X-Content-Type nosniff
<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
</IfModule>
  • Protection from XSS attacks

While adding the following directive, there is no need of any modifications. Most modern web browsers understand this header.

# X-XSS-Protection
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
</IfModule>

I hope this post helped you in configuring security headers to your PrestaShop store. If you have any security questions, asks us in the chat box, we’ll be happy to answer 🙂

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany