Why NopCommerce based online stores are secure? I’ve pointed out some arguments below:
- NopCommerce uses Forms Authentication Provider and the ASP.NET membership provider with ASP.NET login controls (together they provide a way to collect user credentials, authenticate them and manage them using little or no code)
- Database Access is secure – there are not used any dynamic sql statements. All queries are manually parameterized or by Entity Framework.
- Message Errors are safe – the application doesn’t show detailed errors to users (achievable by configuring customErrors section properly in the web.config)
- Sensitive Information is kept safely – password and encryption keys are encrypted in the database using MD5 and SSL is turned on and also NopCommerce stores only the last 4 digits of the credit card and masked it
- Guard Against Denial-of-Service Threats – file uploads are limited (4096kb). You can use httpRuntime section in web.config to set up this limit.
- Guard Against SQL Statement Exploits – the applications uses parameterized SQL statements for data access
- Guard Against Scripting Exploits – ASP.NET performs request validation against query-string and form variables as well as cookie values. By default, if the current Request contains HTML-encoded elements or certain HTML characters (such as — for an em dash), the ASP.NET page framework raises an error.
