Posted on

A Recipe to avoid having your Twitter, Facebook, CompuGlobalHyperMegaNet account stolen at an Airport or Conference

This week I’m heading to LA for the Magento Imagine conference. It should be a really diverse conference, with developers, marketers and all manner of other ecommerce industry experts brought together by a common interest in Magento. I’ll be presenting a short tech talk during the Developer UnConference section, which is billed as a developer only techy session – sounds like fun! I’ll be running through some Magento Engineering tips, for project setup, development and deployment in a repeatable way.

I have a fairly grueling trip to get there and amidst all this insecure wifi in the air at Sydney airport I thought I’d jot down a quick how-to for fellow travelers/conference goers to avoid having their Twitter or Facebook account hacked by a 10 year old with a Mac book.

Follow the recipe below for secure web browsing at airports on the way and while you’re at the Magento Imagine conference.
Continue reading A Recipe to avoid having your Twitter, Facebook, CompuGlobalHyperMegaNet account stolen at an Airport or Conference

Posted on

A simple way to password protect your Magento store

This post will describe a simple technique to secure your Magento virtual host with basic HTTP password protection provided by Apache. This can be useful if you want to keep users away from the webstore during development, or if you sell products wholesale and do not want unauthorized users to view your catalog/pricing.

To be very clear from the outset, this technique uses basic HTTP authentication, which if used over HTTP (rather than HTTPS) affords no security for the passwords while they are in transit across the internet. If you are interested, you can learn more about the limitations of basic access authentication. As a simple mechanism for keeping people out of a site, it will do just fine. If you store your nuclear missile access codes in a Magento store database, do not use this technique to protect them, please.

Normally when I’m developing a new site I just use virtual hosting and a modified operating system hosts file to prevent people visiting it while it’s in development. I realize that’s not really security, more obscurity, but it has worked fine for me in the past.

Recently I have had a need to more fully protect a site, but also to make it public via DNS records. In a nutshell the steps required are, configure virtual hosting for your webstore, configure Apache authentication, setup a user/password and reload apache. I’ll run through everything in detail below.
Continue reading A simple way to password protect your Magento store

Posted on

Magento CSRF attack: A Simple Explanation

Everyone with a Magento store will recently have seen the notification that a possible CSRF attack against the Magento admin interface has surfaced. I thought I would take this opportunity to give a quick overview to CSRF(Cross-site request forgery) attacks, particularly how they work against web administration panels such as Magento and ways to protect Magento and other web applications from these sort of attacks.

The CSRF Basics

The easiest way to explain the attack is to think about what is happening under the hood when you are navigating a web page. You browser makes requests to the remote server for content, and to manipulate data stored on the server. In a strict RESTful approach to web applications, your browser will make GET requests when you are reading information and POST or PUT requests when you are creating or updating information.

Continue reading Magento CSRF attack: A Simple Explanation