There was a pen-test that has been done to validate our e-com business and the security team found some issues. Can you suggestion how to resolve these?
Unnecessary ports open on the server
Too many open ports on the server. Understand this is a shared environment, anything we can do about this?
Possible to inject SQL queries
Users can add sql statements to forms, for example address field in shipping address
Cache control headers are not set properly
Can we set cache control to no store and pragma to no-cache?
Secure and Httponly cookie attributes are not set
Session cookies need to set to secure and httponly
My Order request can be automated to harvest customer PII data
Adding captcha to areas where login is needed
The web server contains a robots.txt file
Modify robots.txt to have non-sensitive information
CVV number is not masked on the checkout page
Can we mask ccv number during payment
Any suggestion on the above is highly appreciated
They didn't provide a whole lot of information. I don't work at Shopify, just a dev/ops nerd, so take this with a grain of salt:
1. I doubt Shopify is going to change open ports. Knowing which ports they believe need to be closed is a good start. Shopify has a lot of integrations, and the ports are likely open for a reason.
2. Do they have proof that an SQL injection is possible? That would mean they were able to read or write additional data to the server. If you have 3rd party apps that deal with shipping, they may have bugs or security issues.
Actually, all of the answers to the other problems are about the same - they should show some examples, cookies and headers are unlikely to change due to specific use cases of Shopify, etc.
https://community.shopify.com/c/Shopify-Discussion/How-can-I-edit-robots-txt/td-p/432485 has some info about robots.txt. Again, you can make minor changes, but not change the file overall.
CVV I have no answer to, maybe there's an app or plugin that masks it.
Thanks for your suggestions.
The team did provide clear examples for each and every issue. I could not post them here for security reasons.
I assumed shopify is not going to do any changes at their end to satisfy a single customer's needs. But was hoping there is a work around to this.
Just a quick update about the robot.txt file that was referenced in this post. As of today, June 21st, 2021, we have launched the ability to edit the robot.txt file to give merchants more control over the information that is crawled by search engines. You can learn more about how to edit your robot.txt file through our community post here.
If you have any questions about the new feature, please do not hesitate to create a new post under our "Techincal QA" board.