Security Options
|
Security Options |
|
|
The options in the 'Security' tab affect the overall security of your store. When you open the tab, LiteCommerce checks your store configuration to make sure that HTTPS protocol is enabled at your store (Figure 3-10). Based on the value of the 'HTTPS client to use' parameter it either attempts to establish HTTPS connection using 'CURL PHP extension', 'Curl external application' or 'OpenSSl external application', or tries to automatically detect the presence of one of these HTTPS clients.  Figure 3-10: Security settings screen If HTTPS checkup fails, the following screen is displayed, providing the instructions for fixing the secure connection problem:  Figure 3-11: HTTPS checkup failed Lack of HTTPS protocol support does not influence the basic functionality of your online store, and the store can operate successfully without it. However, the use of online payment gateways and real-time shipping methods is impossible without secure connection capability. Higher level of security can be achieved by activating secure protocol (HTTPS) in the Administrator and Customer Zones of your store. Using HTTPS in the Customer Zone protects confidential information being transmitted during the login, profile editing, shopping and checkout procedures. Using encrypted HTTPS connections to access the Administrator Zone is especially recommended if the administrator manages the store over the Internet (as opposed to the local network), since sensitive business information is transmitted when store operation, configuration and maintenance tasks are performed. Note: If your hosting provider requires that HTTP and HTTPS parts of your store be located separately on the server (for example, 'public_html/' is the upload directory for HTTP content and 'secure_html/' is the upload directory for HTTPS content), you will need to duplicate all your store pages in both directories. You can avoid duplication of files if your store is running on a UNIX platform by creating a symbolic link between these two locations. This requires that you use the command line to access your website and issue the following commands: Another security feature of LiteCommerce is the 'Clear cart on customer logoff' option. Enabling this option makes it impossible for anybody to see the customer's shopping cart contents after he logs off even if he doesn't exit his browser session (exiting the browser clears the shopping cart regardless of this option). The following protection systems can be enabled: Enable admin forms protection system: select this option to include a special numeric identifier into each form generated by LiteCommerce. This prevents the store administrator from opening forms which do not have a valid identifier. Links to such forms can be used by a malicious person as a means of making the application inoperable or gaining access to the application back-end (this technique is known as "phishing"). By default this option is enabled and we strongly recommend you do not disable it. However you can disable it for testing purposes, for example, if some custom module does not work properly. Enable admin IP protection system: select this option to be able to limit access to admin zone by IP address. 'Admin IP protection' tab will be added in the 'General settings' section. Enable .htaccess verification system: select this option to check if the versions of .htaccess files stored in the database and on the server, are the same. 'Security files' section will be added at the bottom of the 'Environment' tab in the 'General settings' section. Enable Captcha protection system: select this option to add Captchas to 'Contact us' and 'Registration' pages. 'Captcha protection' tab will be added in the 'General settings' section. To enable any of the above-mentioned options, place checkmarks in the corresponding fields and click on the 'Submit' button to save your new settings. For further information on improving the security of your store, see the section "Security Considerations and Measures" of this manual. |