Let's rokk! [Tudor Cret's blog]

August 24, 2011

Securing NopCommerce stores

Filed under: Uncategorized — Tudor Cret @ 9:29 am
Tags: ,

Why NopCommerce based online stores are secure? I’ve pointed out some arguments below:

  • NopCommerce uses Forms Authentication Provider and the ASP.NET membership provider with ASP.NET login controls (together they provide a way to collect user credentials, authenticate them and manage them using little or no code)
  • Database Access is secure – there are not used any dynamic sql statements. All queries are manually parameterized or by Entity Framework.
  • Message Errors are safe – the application doesn’t show detailed errors to users (achievable by configuring customErrors section properly in the web.config)
  • Sensitive Information is kept safely – password and encryption keys are encrypted  in the database using MD5 and SSL is turned on and also NopCommerce stores only the last 4 digits of the credit card and masked it
  • Guard Against Denial-of-Service Threats – file uploads are limited (4096kb). You can use httpRuntime section in web.config to set up this limit.
  • Guard Against SQL Statement Exploits – the applications uses parameterized SQL statements for data access
  • Guard Against Scripting Exploits – ASP.NET performs request validation against query-string and form variables as well as cookie values. By default, if the current Request contains HTML-encoded elements or certain HTML characters (such as — for an em dash), the ASP.NET page framework raises an error.

Blog at WordPress.com.