Safety is one of the most crucial topic in online store management. We can divide security into - GrandNode security and MongoDB security. I will describe this two areas independently. The most easiest things which you can do in your store is to secure GrandNode.
Prestented examples of actions, are not hard to implement. They can be implemented by beginner users, so let's read and start to secure your e-commerce.
Localhost as default bind IP Address
In the MongoDB 3.6 to improve the security of database server, developers implemented a new bind IP address. Instead of 0.0.0.0 you will have a localhost/127.0.0.1 IP Address to avoid undesirable connections.
Before, the first step during MongoDB configuration, was to change the Bind IP Address in MongoDB config file. Now, it's used by default. As MongoDB developers say, it was a key feature for them to improve safety of MongoDB database servers.
IP Whitelisting for Authentication
If you enable whitelisting in MongoDB, it will be a much harder to break all your safety walls. According to MongoDB documentation, if you will enable it and configure authentication requirements for specified user, it will have to meet all of that requirements. Otherwise, the authentication will be rejected immediately.
Below you can find a simple example provided in MongoDB Docs.
For example here is how a document attached to a database user or role can be set to only allow 192.168.17.6 clients to connect. Beyond that it can be set to only connect to the services listening in 10.10.10.0/24. Using the following syntax an IP must be matched during authentication to login.
clientSource: [“192.168.17.6”, “127.0.0.1”]
serverAddress: [“10.10.10.0/24”, “127.0.0.1”]
Role-Based Access Control
Create a user administrator first. You should start from this point. Then, when you've created a global adminitrator user, you can create additional users to manage each database. The MongoDB documentation recommend to use a unique user for each person or application that accesses the system. So it's important to create a unique user for each GrandNode store.
It's also important, but mostly not used, to create roles and define specified, limited access for each user. More information can be found in official MongoDB documentation here.
Encrypt communication in your store
You should configure your store and MongoDB to use SSL. It's one of the mosts important things now, when Google Chrome started to mark website without SSL as dangerous for our computers. If you don't want to purchase a certificate, you can try to use free Let's Encrypt SSL for your store.
Probably, if Google Chrome started to fight with the sites without SSL certificate, rest of browsers will do the same thing.
Don't be afraid, MongoDB also supports the SSL connection.
Password lifetime and PCI Compliance
It's feature available from GrandNode 3.90. To meet the PCI Compliance requirements, we need to implement a few features related with password creation and management.
All settings related with it, can be found in "Admin panel -> Configuration -> Settings -> Customer settings".
It's important for admin users to keep their passwords regularly updated.
You can set the password minimum length, lifetime, number of unduplicated password numbers, maximum login failures. It's one of the most important parts of the PCI DSS compliance.
It's always necessary to keep the software updated. Each version contains new features, bug fixes. E-commerce is constantly evolving, its dark side also. Your store can't be still in the same place, you need to move forward as the rest of the industry. As you can see, our e-commerce software is still growing, we are publishing new versions after each few months.