: Security considerations for my first eStore I have a website through which I am going to sell few products. It is hosted on a simple shared-hosting and does not have SSL. On the products page,
I have a website through which I am going to sell few products. It is hosted on a simple shared-hosting and does not have SSL.
On the products page, each product has a Buy Now button created from my PayPal Merchant account. PayPal recommends to use it's Button Factory to create secure buttons and save it inside PayPal itself. I have followed the same advice and the code of any button is secure and does not disclose any information on either a product or it's price.
When the user clicks on a Buy Now button, he/she is taken to PayPal site where a page is opened in SSL for the user to fill in the credit card and shipping details. After a successful transaction, the control is passed back to my site.
I want to know whether there is still any chance when security could be compromised.
More posts by @Nimeshi995
3 Comments
Sorted by latest first Latest Oldest Best
The list danlefree links to is a great rundown of the most common security issues in online and offline applications (probably a good checklist to perform on most projects), but aside from these general concerns, there aren't that many e-commerce-specific issues to worry about if you're using off-site payment processing like PayPal standard.
I mean, if your user is the target of a MITM (Man-in-the-Middle) attack, then it's possible for their payments to be diverted to the attacker's PayPal account (or have their PayPal credentials stolen), but this is a really unlikely scenario IMO. But if you want to be safe, then getting an SSL certificate and using it site-wide might be worthwhile. But the major e-commerce-related security concerns really only come about when you start handling PII (Personally Identifiable Information) and other sensitive information on-site. In that case, you need to start using TLS encryption, use a secure web host, and make sure you adhere to security best-practices (like only storing salted password hashes, adhering to the PCI-DSS, etc.).
If this is your first e-commerce site, then it's probably best that you use off-site payment processing and pay close attention to the integration guides (e.g. the section on securing website payments in the PayPal standard integration guide). The only other thing I can think of is to avoid using emails to manage orders. The reason is that it's possible for a malicious user to spoof an order notification email without actually placing an order. So always check your PayPal dashboard to manage/verify orders.
Take a look over the CWE/SANS Top 25 Most Dangerous Programming Errors and consider the possible threats posed by unauthorized access to your filesystem (i.e. what happens if an attacker adds a malicious Javascript to your pages?) - shared host security practices vary hugely between providers, so you may want to review your host's offerings and practices if you feel that you have cause for concern.
Absolutely, but unlikely depending on the type of product.
If you are talking about digital product / digital downloads, that is a whole other side and security concerns.
If you just check the PayPal transactions and then manually do something such as complete/ship an order, you should be ok - but if the confirmation page holds a script of some sort, it may be possible to "pretend" that the order was completed etc.
As you are not hosting anything to do with payments, I would say that even if you were targeted, any sort of "problems" will just be limited to downtime whilst you recover (take regular backups), but you should be pretty safe.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.