Search the Community
Showing results for tags 'security'.
-
Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.[1] TOTP is the cornerstone of Initiative for Open Authentication (OATH), and is used in a number of two-factor authentication (2FA) systems. A Time-Based One-Time Password or TOTP is a passcode valid for 30 to 90 seconds that has been generated using the value of the Shared Secret and system time. How it works inside CliShopping, You have two options you can activate, one for the administration protection and one on Catalog login. The approach is the same for the both. You insert your email and your are redirected on Topt page QR code. You have just to scan the code with your phone. Aministration Login : Protection 1 Connexion : You must enter you login and password. If it's does not work you must restart. It's security normal process Protection 2 Ip identification : You Ip is registred everytime you want to try to log inside the administration. After 5 times (you can define), you account is blocked and you must wait to try another time. You can also receive an email to know if someone try to connect on you admin Protection 3 Double authentification by TOTP: (option) This is an option where you can include the TOTP identification. The process is quite simple. If you activate the TOTP, the first time when you tried to connect inside the admin, a TOTP password is generated and save inside your database. After a QR code appears and you must terminate your identification with the sanc of your QR code and include the number given by your phone. The process compare the TOTP number with your QR code number and allow you to connect or not inside the administration. The login This the same process as the administration. Protection 1 Connexion : You must enter you login and password. If it's does not work you must restart. It's security normal process Protection 2 Double authentification by Topt : (option) Same process as the Administration for the TOTP authentification. Conclusion : This approach is not a perfect process security but allow you to have something best with a low interference with the action client. It's in coformity with the regulation recommandtion proposed in Europe. You can activate this process only for administration or for the catalog. It's independent process. For example, Amazon is more restritive about the double identification because you must receive a code on your smartphone. The problem with this approach if you tried to connect with another computer and you do not have your phone, you can not. In other part, with the TOTP process implemented inside the ClicShopping, you can use on every computer. To increase the application security and data storage, you always have a compromise to choose and there is always a repercution on your client. For moment, it can be transparent, another moment, it must do an action. Also you can increase again the security to include and antispam App and create different kind to security approach inside different ClicShopping forms. The point aborded here is only about the identification.
-
- 8
-
- double authentification
- topt
-
(and 1 more)
Tagged with:
-
Hello, A little tutorial to help you to include some interesting element inside your .htaccess and increase the website security. I take also, the ClicShopping .htaccess inside this tutorial. Link can help you : https://htaccessbook.com/increase-security-x-security-headers/ ################################## # Security # Be carefull approach is different : Linux, Ngix, IIS # Below for linux ################################## <IfModule mod_headers.c> # prevent mime based attacks Header set X-Content-Type-Options "nosniff" # XSS Protection Header set X-XSS-Protection "1; mode=block" #X Frame Header always set X-FRAME-OPTIONS "DENY" </IfModule> About the bot ################################## # Bot ################################## ##Rules to block bad bods from accessing web pages on your site. ##Remove or add more rules as per your needs. BrowserMatchNoCase "Baiduspider" bots BrowserMatchNoCase "SemrushBot" bots BrowserMatchNoCase "Yandex" bots BrowserMatchNoCase "BLEXBot" bots BrowserMatchNoCase "AhrefsBot" bots BrowserMatchNoCase "DotBot" bots BrowserMatchNoCase "Exabot" bots BrowserMatchNoCase "SeznamBot" bots BrowserMatchNoCase "aiHitBot" bots BrowserMatchNoCase "spbot" bots BrowserMatchNoCase "MJ12bot" bots BrowserMatchNoCase "oBot" bots BrowserMatchNoCase "DeuSu" bots BrowserMatchNoCase "ia_archiver" bots BrowserMatchNoCase "MetaURI" bots BrowserMatchNoCase "FlipboardProxy" bots Order Allow,Deny Allow from ALL Deny from env=bots caching schema ################################## #Caching schema ################################## <IfModule mod_headers.c> Header unset ETag Header unset Last-Modified </IfModule> ## EXPIRES CACHING ## ## https://gtmetrix.com/leverage-browser-caching.html ## <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/webp "access plus 1 month" ExpiresByType text/css "access plus 1 week" ExpiresByType text/javascript "access plus 1 week" ExpiresByType application/javascript "access plus 1 week" ExpiresByType application/x-javascript "access plus 1 week" ExpiresByType image/x-icon "access plus 1 year" ExpiresByType image/svg+xml "access plus 1 year" ExpiresByType image/vnd.microsoft.icon "access plus 1 year" ExpiresByType application/font-woff "access plus 1 year" ExpiresByType application/x-font-woff "access plus 1 year" ExpiresByType font/woff2 "access plus 1 year" ExpiresByType application/vnd.ms-fontobject "access plus 1 year" ExpiresByType font/opentype "access plus 1 year" ExpiresByType font/ttf "access plus 1 year" ExpiresByType font/otf "access plus 1 year" ExpiresByType application/x-font-ttf "access plus 1 year" ExpiresByType application/x-font-otf "access plus 1 year" ExpiresByType text/css "access plus 1 year" ExpiresByType application/javascript "access plus 1 year" </IfModule> Apache 2.4 ################################## #apache 2.4 ################################## <IfModule mod_version.c> <IfModule mod_filter.c> <IfVersion >= 2.4> FilterDeclare COMPRESS FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'text/html'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'text/css'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'text/plain'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'text/xml'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'text/x-component'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/javascript'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/json'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/xml'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/xhtml+xml'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/rss+xml'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/atom+xml'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/vnd.ms-fontobject'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'image/svg+xml'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'image/x-icon'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'application/x-font-ttf'" FilterProvider COMPRESS DEFLATE "%{Content_Type} = 'font/opentype'" FilterChain COMPRESS FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no </IfVersion> </IfModule> </IfModule>
-
hello, like it's my first time I use ClicShopping, i would know if it's possible to change the admin directory inside other directory for more security
-
Websites are by nature high-risk elements of the information system. Security is of great importance, and this for several reasons. The most known threats on websites are disfigurements and denial of service. Disfigurement is an attack in which an attacker modifies the site to replace the legitimate content with content they choose, for example relaying a political message to denigrate the site owner or simply to assert his attack as evidence expertise. A denial of service for its object to make the site unavailable to its attack legitimate users. In both cases, the impact on the site owner is obviously a poor images and, in the case of a site for supporting a lucrative business, a shortfall. To reduce the most common attacks ... Here are a few recommendations that you can apply. Step 1 : Your administrators Register an Administrator: Your nickname: We recommend you to alias a complex that is not current or use your email. Password: a complex password with * / - + - () necessarily complicate a hacker who wants to enter your online store ClicShopping. Step 2 : The Security Module In the menu menu Configuration /Action recorder, please edit the different modules to change the security. For example, the default Administration module contains two types of value: - Please specify the time waiting for a connection error in the administration part: This value indicates the time that a director must wait before attempting to reconnect Note : More the time is long, more it's better. - Please specify the number of allowed login to log in as admin: This value indicates the number of attempts allowed a connection. If this value is exceeded, it will be impossible to connect. Note : More the value is small, more it's better (take a marge if you make a mistake). In addition, each attempt failed connection, you will receive an email telling you that someone has tried to log in to your administration when there is an error. In the menu Tools / Securities, server information, you will find a summary of the analysis of the principal organs of our server Inside this menu, you have more options than you can look and eventually can help you to update your configuration You can also install in your dashoarb some modules can help or remind you some action to make inside your application. Step 3 : Configuration files and access to your ClicShoppingAdmin Theoretically, if you have followed the Installation Manual, it is not useful to speak on this item. However, we recall that the rights on the file configure.php file must be read-only mode is chmod 444. - One for security reason. - Second for an update or upgrade. Please make sure that these rights are correct. The main important element are located : /ClicShopping/Sites/ClicShoppingAdmin/conf.php /ClicShopping/Sites/Shop/conf.php /ClicShopping/Sites/conf/ Step 4 : Access to your administration You can also change the directory ClicShoppingAdmin to improve the security tool. However, you must perform several operations on this - /ClicShopping/Sites/ClicShoppingAdmin/conf.php - Modify ClicShoppingAdmin directory by your new directory You can add an htaccess and htpasswd, if you want. Etape 5 : Your Store - The images directory About this directory, it is best is to let the server to manage that. But for the best use, the images directories and sub-directories must be in CHMOD 755 and files 644 modes. Generally, the default settings provided by the Apache server. However, there may be a warning at the notifying administration ClicShopping it can not save the file. In this case, we recommend you to directories and files in 777 mode . ClicShopping records for setting up the product images file chmod 644. If you create other directories, we advise you to put an empty index.html or index.php file types, you can create it directly from the images editor that is offered in ClicShopping. In addition, this directory (but others too) are protected by a .htaccess file preventing them from access these directories via your browser. Conclusion If you apply these best practices, you will improve the security of your online store. Do not forget to install the antispam App : https://www.clicshopping.org/forum/files/file/112-apps-configuration-antispam/