Security in Donation Store

Learn about the Measure Donation Store implements to remain secure

HTTPS and SSL Certificate

The first step in ensuring security on your Donation Store webstore is to install an SSL certificate. Please follow our SSL Certificate Installation Doc to get more information on how to setup an SSL cert on your webstore.

CSRF, XSS, SQL Injection and Clickjacking Protection

Donation Store is built on the Django framework meaning that it has built in security for CSRF (Cross Site Request Forgery), XSS (Cross Site Scripting), SQL Injection and Clickjacking.

CSRF protection works by checking for a secret in each POST request. This ensures that a malicious user cannot simply “replay” a form POST to your website and have another logged in user unwittingly submit that form. The malicious user would have to know the secret, which is user specific (using a cookie). Each form on Donation Store generates a unique token that is used for verification.

When using the templates found in Donation Store, most of the content is escaped to prevent people injection malicious code into it using XSS. This is why all template code, e.g {{ webstore.name }} should not have any custom tags or filters on it.

Donation Stores querysets are protected from SQL injection since their queries are constructed using query parameterisation. A query’s SQL code is defined separately from the query’s parameters. Since parameters may be user-provided and therefore unsafe, they are escaped by the underlying database driver.

Donation Store contains clickjacking protection in the form of the X-Frame-Options middleware which in a supporting browser can prevent a site from being rendered inside a frame. It is possible to disable the protection on a per view basis or to configure the exact header value sent.

Most of the above security features are taken from the Django Software Foundation website. If you would like to read more about the security measures that come with Donation Store because of Django, you can do so here.

Password Hashing

Donation Store uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This is very secure and would require massive amounts of computing time to break.

Have Questions? Open a Support Ticket

View Common Issues on the Knowledgebase

Video Guides on YouTube

Other clients and Donation Store developers hang out on our Discord server, where you can ask for support in #ds-chat, or if you are a Client and you don't uet have your Client role on Discord, let us know and we can add it. Once added you get access to our private Client's support channel.