Security of your Vendure application includes considering how to prevent and protect against common security threats such as:
Data breaches
Unauthorized access
Attacks aimed at disrupting the service
Vendure itself is designed with security in mind, but you must also consider the security of your own application code, the server environment, and the network architecture.
Basics
Here are some basic measures you should use to secure your Vendure application. These are not exhaustive, but they are a good starting point.
Change the default credentials
Do not deploy any public Vendure instance with the default superadmin credentials (superadmin:superadmin). Use your hosting platform's environment variables to set a strong password for the Superadmin account.
It is recommended that you install and configure the HardenPlugin for all production deployments. This plugin locks down your schema
(disabling introspection and field suggestions) and protects your Shop API against malicious queries that could otherwise overwhelm your server.
For a detailed explanation of how to best configure this plugin, see the HardenPlugin docs.
Harden the AssetServerPlugin
If you are using the AssetServerPlugin, it is possible by default to use the dynamic
image transform feature to overload the server with requests for new image sizes & formats. To prevent this, you can
configure the plugin to only allow transformations for the preset sizes, and limited quality levels and formats.
Since v3.1 we ship the PresetOnlyStrategy for this purpose, and
you can also create your own strategies.
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.
It publishes a top 10 list of common web application vulnerabilities: https://owasp.org/Top10
This section assesses Vendure against this list, stating what is covered out of the box (built in to the framework or easily configurable) and what needs to be additionally considered.
Vendure defaults to bcrypt with 12 salt rounds for storing passwords. This strategy is configurable if security requirements mandate alternative algorithms.
No deprecated hash functions (SHA1, MD5) are used in security-related contexts (only for things like creating cache keys).
Payment information is not stored in Vendure by default. Payment integrations rely on the payment provider to store all sensitive data.
To consider:
The Vendure server will not use TLS be default. The usual configuration is to handle this at the gateway level on your production platform.
If a network caching layer is used (e.g. Stellate), ensure it is configured to not cache user-related data (customer details, active order etc)