Security of your Vendure application includes considering how to prevent and protect against common security threats such as:
Vendure itself is designed with security in mind, but you must also consider the security of your own application code, the server environment, and the network architecture.
Here are some basic measures you should use to secure your Vendure application. These are not exhaustive, but they are a good starting point.
Do not deploy any public Vendure instance with the default superadmin credentials (superadmin:superadmin). Use your hosting platform's environment variables to set a strong password for the Superadmin account.
It is recommended that you install and configure the HardenPlugin for all production deployments. This plugin locks down your schema (disabling introspection and field suggestions) and protects your Shop API against malicious queries that could otherwise overwhelm your server.
Install the plugin:
Then add it to your VendureConfig:
For a detailed explanation of how to best configure this plugin, see the HardenPlugin docs.
If you are using the AssetServerPlugin, it is possible by default to use the dynamic image transform feature to overload the server with requests for new image sizes & formats. To prevent this, you can configure the plugin to only allow transformations for the preset sizes, and limited quality levels and formats. Since v3.1 we ship the PresetOnlyStrategy for this purpose, and you can also create your own strategies.
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.
It publishes a top 10 list of common web application vulnerabilities: https://owasp.org/Top10
This section assesses Vendure against this list, stating what is covered out of the box (built in to the framework or easily configurable) and what needs to be additionally considered.
Out of the box:
To consider:
Out of the box:
To consider:
Reference: https://owasp.org/Top10/A03_2021-Injection/
Out of the box:
To consider:
Out of the box:
To consider:
Out of the box:
To consider:
Out of the box:
To consider:
Out of the box:
To consider:
To consider:
Out of the box:
To consider:
Out of the box:
To consider:
Architecture reviews, custom plugin work, migrations, ongoing support. Get a hand from the team that builds Vendure.
Talk to the team