Security Hardening
Security best practices for O2VEND themes and apps.
Overview
Security is critical for protecting user data and preventing attacks. This guide covers security hardening techniques.
Common Security Threats
1. Cross-Site Scripting (XSS)
Prevention
Always escape user input:
<!-- ❌ Vulnerable -->
{{ user_input }}
<!-- ✅ Safe -->
{{ user_input | escape }}
Content Security Policy
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self' 'unsafe-inline';">
2. SQL Injection
Prevention
Use parameterized queries:
// ❌ Vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`;
// ✅ Safe
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
3. CSRF Attacks
Prevention
Use CSRF tokens:
<form method="post" action="/cart/add">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
<!-- Form fields -->
</form>
Theme Security
1. Input Validation
{% if product and product.id %}
{{ product.name | escape }}
{% endif %}
2. Secure Asset Loading
<!-- Use asset_url filter -->
{{ 'script.js' | asset_url | script_tag }}
<!-- Don't use external scripts without verification -->
3. Sanitize User Content
{{ user_content | strip_html | escape }}
App Security
1. Validate App Inputs
function validateAppInput(input) {
if (typeof input !== 'object') {
throw new Error('Invalid input');
}
// Validate required fields
if (!input.id || !input.name) {
throw new Error('Missing required fields');
}
return input;
}
2. Secure API Calls
// Use HTTPS
const apiUrl = 'https://api.example.com';
// Validate responses
function validateApiResponse(response) {
if (!response || !response.data) {
throw new Error('Invalid API response');
}
return response.data;
}
API Security
1. Authentication
// Use Bearer tokens
const headers = {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
};
2. Rate Limiting
// Implement rate limiting
const rateLimiter = {
requests: new Map(),
checkLimit(ip, limit = 100) {
const count = this.requests.get(ip) || 0;
if (count >= limit) {
throw new Error('Rate limit exceeded');
}
this.requests.set(ip, count + 1);
}
};
3. Input Validation
function validateApiInput(input, schema) {
// Validate against schema
for (const field in schema) {
if (schema[field].required && !input[field]) {
throw new Error(`Missing required field: ${field}`);
}
}
return input;
}
Data Protection
1. Encrypt Sensitive Data
const crypto = require('crypto');
function encrypt(data, key) {
const cipher = crypto.createCipher('aes-256-cbc', key);
let encrypted = cipher.update(data, 'utf8', 'hex');
encrypted += cipher.final('hex');
return encrypted;
}
2. Secure Storage
- Never store passwords in plain text
- Use hashing for sensitive data
- Encrypt data at rest
- Use secure session storage
Security Checklist
- All user input is validated and escaped
- CSRF protection implemented
- HTTPS used for all connections
- Authentication tokens are secure
- Rate limiting implemented
- Error messages don't leak sensitive information
- Dependencies are up to date
- Security headers configured
- Regular security audits performed