Being an e-commerce platform, PrestaShop is at constant risk of getting hacked. This fact is further validated by the recent rise in the number of attacks on PrestaShop stores. While setting up PrestaShop is quite easy, much caution is needed to keep it secure. This is the reason that many owners add security headers in their PrestaShop stores. Security headers are an integral part of a website’s security. Upon implementation, they secure your PrestaShop store from various types of malicious attacks. Notably, these headers can fend off attacks like code injections, XSS, clickjacking, etc.
Brief Overview of Security Headers
Technically, security headers are simply fields that are encoded in clear text. They are also part of the HTTP request and response message header. When a user visits your PrestaShop store, the servers usually respond with HTTP response headers. In simple words, these headers tell the browser how to behave during communication with the PrestaShop store. These security headers mainly comprise Metadata and can be used to outline communication and improve web security.
Nowadays, there exists an array of security headers with the help of which you can protect your PrestaShop store. For instance, let’s take the example of Content Security Policy Header.
The HTTP CSP response header provides website admin a sense of control. It gives them the authority to restrict the resources a user is permitted to load within a site. In other words, with the help of this header, you can whitelist the content sources of your site.
It’s done by adding this code in the .htaccess file.
**# Extra Security Headers
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
</IfModule>**Problems associated with adding Security Headers via traditional methods
The traditional way of adding security headers have many problems associated with them. We have made a list of drawbacks associated with adding security headers via traditional methods.
- The PrestaShop can be hosted on NGinx, IIS, and Apache. Each of these servers needs different configuration tweaks to get the same thing done. Well, you can document the recommendations for each server. Clearly, this procedure is more complex.
- Moreover, tweaking web server configurations and PrestaShop cloud hosting configurations is not that simple. As a result, the security headers are not properly installed which makes the store more prone to attacks.
- The vulnerability scans when executed provided bad scores to the PrestaShop stores because of missing security headers
Store Fixer Module As a Soultion
Fortunately, there is an easier and convenient method available – the Store Fixer module.
Store Fixer is a comprehensive security module that facilitates compulsory security tools to stop spammers. Besides adding Security Headers to your store, it also simplifies adding ReCAPTCHA, Content Security, and IP blocking to your store.
When compared to the traditional methods of adding security headers, this add-on module from Astra makes adding security headers plug and play.
This module not only saves you time but also the effort to edit files. To add Security Headers on your store, you just have to install the module and follow these steps:
- Download the compressed file of the module and upload it to the PrestaShop modules section.
- Once the module is configured, click on the Store Security>>Security Headers menu. It will open the following window.
- Now, enable the settings from the menu and hit SAVE. Security Headers will get active on your store.
The security headers of this module provides your PrestaShop store with XSS protection, Content Sniffing Protection, Clickjacking protection, and HTTP only secure flags. In short, you can rely on this module from Astra to keep your store safe.
Bonus: .htaccess techniques to add Security Headers
However, if you wish to add security headers by yourself, you can follow these .htaccess techniques to add different security headers to your store.
- Protect against clickjacking
This can be done by adding this directive to your site’s .htaccess file.
# X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>- Protect against content-sniffing
The following directive can be added as an X-security header to secure your site from content sniffing.
# X-Content-Type nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>- Protection from XSS attacks
While adding the following directive, there is no need of any modifications. Most modern web browsers understand this header.
# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>I hope this post helped you in configuring security headers to your PrestaShop store. If you have any security questions, asks us in the chat box, we’ll be happy to answer 🙂