Security
Overview
This reference presents a comprehensive compilation of all security measures implemented in Shopware 6, along with instructions on how to configure them.
ACL in the Administration
The Access Control List (ACL) in Shopware ensures that by default, data can only be created, read, updated, or deleted (CRUD), once the user has specific privileges for a module. ACL in the Administration
API aware field
The ApiAware flag allows you to control what fields of your entity are exposed to the Store API. For more information, refer to Flags Reference.
Captcha
Captchas help to verify the user's humanity and prevent automated bots or scripts from gaining access. For more information, refer to Captcha article.
CSP
Content Security Policies (CSPs) are used to prevent Cross-Site-Scripting (XSS) attacks, as well as data injection attacks. This policy specifies the sources from which additional content (e.g., images, scripts, etc.) can be included.
The default policies are configured over the shopware.security.csp_templates symfony container parameter and can be adjusted over the container configuration.
File access
Shopware 6 stores and processes a wide variety of files. This goes from product images or videos to generated documents such as invoices or delivery notes. This data should be stored securely, and backups should be generated regularly. For more information, refer to File system
GDPR compliance
General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that enhances individuals' privacy rights by imposing strict rules on how organizations collect, process, and protect personal data. For more information, refer to GDPR guide.
HTML sanitizer
HTML sanitizer improves security, reliability, and usability of the text editor by removing potentially unsafe or malicious HTML code. For more information, refer to HTML Sanitizer guide.
Rate limiter
Shopware 6 provides certain rate limits by default that reduces the risk of brute-force attacks for pages like login or password reset. For more information, refer to Rate Limiter guide.
Reset sessions when changing password
As soon as a password is changed for a user or customer, the session is invalid and the user or customer must log in again. For more information, refer to:
SameSite cookie
SameSite prevents the browser from sending cookies along with cross-site requests. For more information on this, refer to SameSite Protection.
Security plugin
Obtaining security fixes without version upgrades is possible through the Security plugin.
Storefront IP Whitelisting
To enable access even during maintenance mode, IP addresses can be added to Storefront IP whitelisting.
SQL injection
SQL injection allows an attacker to execute new or modify existing SQL statements to access information that they are not allowed to access. By mainly using our own Data Abstraction Layer, that does not expose SQL directly, most of the SQL injection attack vectors are prevented. Whenever direct SQL is being used, the best practices from Doctrine DBAL are followed to ensure proper escaping of user input.
