magento-security

Magento 2 Security

Before writing code

Fetch live docs:

1. Web-search site:experienceleague.adobe.com commerce security for security best practices
2. Web-search site:developer.adobe.com commerce php development security for developer security guide
3. Web-search magento 2 security patches latest for recent security updates

Content Security Policy (CSP)

What It Does

Protects against XSS and code injection by restricting which resources (scripts, styles, images, fonts) can load.

Configuration

• etc/csp_whitelist.xml — whitelist external domains per CSP directive
• Modes: report-only (logs violations) and restrict (blocks violations)
• Directives: script-src, style-src, img-src, font-src, connect-src, frame-src

Adding Allowed Sources

Whitelist third-party domains for payment gateways, analytics, CDNs:

• Declare in csp_whitelist.xml under the appropriate directive
• Use report-only mode first to identify missing whitelists

Two-Factor Authentication (2FA)

• Mandatory for all admin users since Magento 2.4.0
• Supported providers: Google Authenticator, Duo Security, Authy, U2F keys
• Rate limiting on OTP validation (configurable retry limit and lockout)
• Cannot be disabled in production (security requirement)

CSRF Protection

• form_key — 16-character token included in all admin forms
• Validated on every POST request in admin
• SameSite cookie attribute prevents cross-site request forgery
• Admin Secret Key in URLs adds additional protection

Admin Security Configuration

Available at Stores > Settings > Configuration > Advanced > Admin > Security:

• Custom admin URL path (obscure the /admin path)
• Add Secret Key to URLs
• Password lifetime (force periodic changes)
• Max login failures before lockout
• Lockout duration
• Session lifetime
• Allowed countries for admin access

Input Validation and Output Escaping

Input Validation

• Validate all user input on the server side
• Use Magento's validation classes and form validators
• Never trust client-side validation alone
• Validate types, lengths, formats, and allowed values

Output Escaping (XSS Prevention)

In PHTML templates, always escape output:

• $escaper->escapeHtml($value) — HTML context
• $escaper->escapeUrl($url) — URL context
• $escaper->escapeJs($value) — JavaScript context
• $escaper->escapeHtmlAttr($value) — HTML attribute context
• $escaper->escapeCss($value) — CSS context
• Never use echo $value directly in templates

reCAPTCHA

• Native Google reCAPTCHA v2/v3 support since 2.3
• Configurable per form: login, registration, forgot password, checkout, contact
• Admin configuration at Stores > Configuration > Security > reCAPTCHA

API Security

• Bearer token authentication for REST/SOAP
• ACL-based authorization for all endpoints
• Rate limiting on authentication endpoints
• OAuth 1.0a for third-party integrations

Best Practices

• Apply security patches promptly — subscribe to Adobe Security Bulletins
• Use a custom admin URL (not /admin)
• Enable 2FA for all admin accounts
• Set strong password policies (length, complexity, expiry)
• Use HTTPS everywhere (frontend + admin)
• Restrict admin access by IP where possible
• Enable CSP in restrict mode (not just report-only)
• Escape all output in templates
• Keep Magento and all extensions up to date
• Run periodic security scans (Adobe Security Scan Tool)
• Review third-party extensions for security before installing

Fetch the security documentation for current CSP directives, 2FA configuration options, and latest security patches before implementing.