There’s a lot of attention to keeping your store secure, but keep in mind that no internet application is ever 100% secure. There are some things you can do to improve security in your site even more. Let’s look at some various areas.
Credit Card Security – As mentioned in the Payment Settings, CFWebstore no longer allows storage of credit card data, unless using tokens (i.e. Shift4 processing). This is due to tightening of PCI Compliance regulations that make storing card data highly risky and impossible to do at a strictly software level. It requires extensive security and encryption procedures to be in place and should only be done with the assistance of a highly skilled security specialty firm. It is important to note however, that if you take credit cards on your site (versus taking them only on an external site like PayPal) you will still need to fulfill Level 4 PCI compliance which generally requires a yearly scan of your web server to check for vulnerabilities.
Cross-Site Scripting – Cross-site scripting (XSS) is a method of attacking a site through javascript embedded into areas of the page that get output to the screen. An example of this might be a form that refills itself when submitted, or a web forum that allows code embedded into the posts. CFWebstore uses a variety of methods to prevent such attacks but new methods of getting around such protection are always being found. One thing you can do to improve protection on your site is to enable the built-in CF protection. You can do this if you are running on CF7 or higher by adding the scriptprotect setting to the cfapplication tag at the end of config.cfm. See the CF documentation to learn more about this setting and the various options for it. Keep in mind that this setting will affect your entire site. If you need to embed something like a flash movie into content areas of your store, setting scriptprotect to “All” or “Form” will prevent that.
Session Sharing or Crossing – CFWebstore version 6.40 is now coded with a new setting for whether you use a shared SSL or not. If you can set up your SSL to match your store domain exactly, you can leave this setting turned off, which will make session spoofing and sharing less likely to occur. If you use a shared SSL, the store will need to append session IDs to the URL when crossing from the non-SSL to SSL areas of your site. Occasionally you may run into an issue where customers report seeing other user’s data when in your store. This is caused by them using a link to enter the site that has the Session identifiers on it (CFID and CFTOKEN). CFWebstore is coded to prevent search engines from using such a link, but occasionally a user will send out a link unknowingly including these session tokens. CFWebstore is coded to detect and prevent this issue, but it is less likely to occur if you use a dedicated SSL and do not have to put the session IDs on the URL. If this is not possible however, be aware that the code that will clear the session uses an internal variable to check for javascript redirects. To prevent the software from accidentally logging users out, be sure that any internal javascript code that redirects the user (such as a location.href function) contains ‘redirect=yes’ on the URL. Admin links that run in the main content window should also contain the string ‘inframes=yes’ to prevent breaking out of the admin frameset.