Security in Donation Store

Learn About the Security Measures Used in Donation Store

HTTPS and SSL Certificate

Browsers like Chrome and Firefox will eventually start marking sites that do not have an SSL certificate as unsafe. Because of this we are encouraging all of our customers to setup their webstore with a free SSL certificate. You can get one at LetsEncrypt.org. Not only does it look good for customers when you have a webstore that is secure, but also it ensure safety when connecting with external plugins and gateways.

CSRF, XSS, SQL Injection and Clickjacking Protection

Donation Store is built on the Django framework meaning that it has built in security for CSRF (Cross Site Request Forgery), XSS (Cross Site Scripting), SQL Injection and Clickjacking.

CSRF protection works by checking for a secret in each POST request. This ensures that a malicious user cannot simply “replay” a form POST to your website and have another logged in user unwittingly submit that form. The malicious user would have to know the secret, which is user specific (using a cookie). Each form on Donation Store generates a unique token that is used for verification.

When using the templates found in Donation Store, most of the content is escaped to prevent people injection malicious code into it using XSS. This is why all template code, e.g
{{ webstore.name }}
should not have any custom tags or filters on it.

Donation Stores querysets are protected from SQL injection since their queries are constructed using query parameterisation. A query’s SQL code is defined separately from the query’s parameters. Since parameters may be user-provided and therefore unsafe, they are escaped by the underlying database driver.

Donation Store contains clickjacking protection in the form of the X-Frame-Options middleware which in a supporting browser can prevent a site from being rendered inside a frame. It is possible to disable the protection on a per view basis or to configure the exact header value sent.

Most of the above security features are taken from the Django Software Foundation website. If you would like to read more about the security measures that come with Donation Store because of Django, you can do so here.