Skip to content

Security

You are viewing the next version (v6.7) of the documentation.
Click here to switch to the stable version (v6.6), or use the version switcher on the left to navigate between versions.

Security

Overview

This reference presents a comprehensive compilation of all security measures implemented in Shopware 6, along with instructions on how to configure them.

INFO

If you have found a security vulnerability in Shopware, please report it to us following the instructions in our Security Advisory Form.

ACL in the Administration

The Access Control List (ACL) in Shopware ensures that by default, data can only be created, read, updated, or deleted (CRUD), once the user has specific privileges for a module. ACL in the Administration

API aware field

The ApiAware flag allows you to control what fields of your entity are exposed to the Store API. For more information, refer to Flags Reference.

Captcha

Captchas help to verify the user's humanity and prevent automated bots or scripts from gaining access. For more information, refer to Captcha article.

CSP

Content Security Policies (CSPs) are used to prevent Cross-Site-Scripting (XSS) attacks, as well as data injection attacks. This policy specifies the sources from which additional content (e.g., images, scripts, etc.) can be included.

The default policies are configured over the shopware.security.csp_templates symfony container parameter and can be adjusted over the container configuration.

File access

Shopware 6 stores and processes a wide variety of files. This goes from product images or videos to generated documents such as invoices or delivery notes. This data should be stored securely, and backups should be generated regularly. For more information, refer to File system

GDPR compliance

General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that enhances individuals' privacy rights by imposing strict rules on how organizations collect, process, and protect personal data. For more information, refer to GDPR guide.

HTML sanitizer

HTML sanitizer improves security, reliability, and usability of the text editor by removing potentially unsafe or malicious HTML code. For more information, refer to HTML Sanitizer guide.

Rate limiter

Shopware 6 provides certain rate limits by default that reduces the risk of brute-force attacks for pages like login or password reset. For more information, refer to Rate Limiter guide.

Reset sessions when changing password

As soon as a password is changed for a user or customer, the session is invalid and the user or customer must log in again. For more information, refer to:

SameSite prevents the browser from sending cookies along with cross-site requests. For more information on this, refer to SameSite Protection.

Security plugin

Obtaining security fixes without version upgrades is possible through the Security plugin.

Storefront IP Whitelisting

To enable access even during maintenance mode, IP addresses can be added to Storefront IP whitelisting.

SQL injection

SQL injection allows an attacker to execute new or modify existing SQL statements to access information that they are not allowed to access. By mainly using our own Data Abstraction Layer, that does not expose SQL directly, most of the SQL injection attack vectors are prevented. Whenever direct SQL is being used, the best practices from Doctrine DBAL are followed to ensure proper escaping of user input.