Skip to content




This reference presents a comprehensive compilation of all security measures implemented in Shopware 6, along with instructions on how to configure them.

ACL in the Administration

The Access Control List (ACL) in Shopware ensures that by default, data can only be created, read, updated, or deleted (CRUD), once the user has specific privileges for a module. ACL in the Administration

API aware field

The ApiAware flag allows you to control what fields of your entity are exposed to the Store API. For more information, refer to Flags Reference.


Captchas help to verify the user's humanity and prevent automated bots or scripts from gaining access. For more information, refer to Captcha article.


Content Security Policies (CSPs) are used to prevent Cross-Site-Scripting (XSS) attacks, as well as data injection attacks. This policy specifies the sources from which additional content (e.g., images, scripts, etc.) can be included.

The default policies are configured over the symfony container parameter and can be adjusted over the container configuration.

File access

Shopware 6 stores and processes a wide variety of files. This goes from product images or videos to generated documents such as invoices or delivery notes. This data should be stored securely, and backups should be generated regularly. For more information, refer to File system

GDPR compliance

General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that enhances individuals' privacy rights by imposing strict rules on how organizations collect, process, and protect personal data. For more information, refer to GDPR guide.

HTML sanitizer

HTML sanitizer improves security, reliability, and usability of the text editor by removing potentially unsafe or malicious HTML code. For more information, refer to HTML Sanitizer guide.

Rate limiter

Shopware 6 provides certain rate limits by default that reduces the risk of brute-force attacks for pages like login or password reset. For more information, refer to Rate Limiter guide.

Reset sessions when changing password

As soon as a password is changed for a user or customer, the session is invalid and the user or customer must log in again. For more information, refer to:

SameSite prevents the browser from sending cookies along with cross-site requests. For more information on this, refer to SameSite Protection.

Security plugin

Obtaining security fixes without version upgrades is possible through the Security plugin.

Storefront IP Whitelisting

To enable access even during maintenance mode, IP addresses can be added to Storefront IP whitelisting.

SQL injection

SQL injection allows an attacker to execute new or modify existing SQL statements to access information that they are not allowed to access. By mainly using our own Data Abstraction Layer, that does not expose SQL directly, most of the SQL injection attack vectors are prevented. Whenever direct SQL is being used, the best practices from Doctrine DBAL are followed to ensure proper escaping of user input.