Security
We are always striving to provide the highest level of security. Therefore, when developing new features for Aurora, factors affecting security are considered and taken into account.
PCI DSS Compliance
Acquiring banks are required to comply with PCI DSS legislation, having their compliance validated by means of an audit. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach may be subject to additional card scheme penalties, such as fines.
The below features have been developed to help clients meet PCI DSS compliance standards.
What is HTTPS?
HTTPS is the secure version of how webpages are delivered. Under HTTPS, all traffic is encrypted so that no one can read the data being transmitted. It is considered essential that all e-commerce sites use this for orders and transactions.
Recently Google have been prioritising sites using HTTPS in search results, so for SEO purposes it may be best that all sites use HTTPS.
Switching over to HTTPS
Using the Force Site to HTTPS option, located on the Site Mode tab under Store > Settings > Aurora, you can now switch your entire site to use HTTPS. Simply check the box and use the apply settings button at the bottom. Providing your server is setup correctly, the entire site will now be using HTTPS.
Secure Cookies
When you are using HTTPS across your entire site, you should consider having the Cookie Secure Flag setting enabled to enforce that your Cookies are also forcibly created over HTTPS, and not shared over to HTTP.
This option is separate to allow it to be disabled in the unusual circumstance that it needs to be off, but should be turned on with the Force Site to HTTPS setting as a standard practice.
Prevent iframes
From the perspective of the PCI Security Standards Council, the iframe provides a level of PCI DSS scope reduction, because the merchant’s web server no longer stores, processes, or transmits credit card data. We have provided a setting which, when enabled, prevents pages from your store being loaded in externally hosted iframes.
The setting can be found by navigating to:
Store > Settings > Security > Prevent assets loading in external iframes?
Use this setting to resolve PCI issues referring to things such as X-Frame-Options.
Other HTTP security response headers
The following security response headers can be enabled within your Aurora security settings here:
Store > Settings > Security
| Header | Description | Default Value (when enabled) |
|---|---|---|
| X-XSS-Protection | By enabling this header you can prevent a degree of 'cross site scripting' (XSS) attacks. | 1; mode=block |
| X-Content-Type-Options | This header tells web browsers to disable MIME and content sniffing. This prevents attacks such as 'MIME confusion attacks'. It will reduce your site's exposure to 'drive-by download' attacks and prevents your server from uploading malicious content that is disguised with clever naming. | nosniff |
| Strict-Transport-Security | This header forces the web browser to ensure all communication is sent via a secure HTTPS connection. If your site is serving mixed content then implementing this will break your site. Ensure that all URLs are being served as https before enabling this header. Aurora uses the recommended default value of two years for the max-age value, however you can override this within your Aurora security settings here: Store > Settings > Front-end > Security > Strict Transport Security Max Age? | max-age=63072000; includeSubDomains; preload |
Updated over 2 years ago