Magento Open Source, 1.9.x

Security Configuration

The security settings give you the ability to control the lifetime of user sessions, and whether to allow your Magento store to run in a frame. (This setting can prevent clickjacking.) In addition you can add a secret key to URLs, and determine the case sensitivity of login credentials.

For security reasons Magento strongly recommends against running your store in a frame.

To configure Admin security:

1. On the Admin menu, select System > Configuration.
2. In the panel on the left, under Advanced, select Admin. Click to expand the Security section. Then, do the following:
a. To protect your store against Admin exploits, set Add Secret Key to URLs to "Yes."
b. To require Admin user logins to match the case of the credentials stored in the system, set Login is Case Sensitive to "Yes."
c. To determine the length of each Admin session, enter the number of seconds of keyboard inactivity that is allowed before the session times out in the Session Lifetime (seconds) field.
d. To prevent "clickjacking," we recommend that you set the following fields to "Only from same domain."
  • Allow Magento Backend to run in frame
  • Allow Magento Frontend to run in frame

As a best security practice, it is recommended that you do not allow any live store to run in a frame or iframe.

e. To protect the Admin from automated attacks, set Admin routing compatibility mode for extensions to "Disable."
f. To determine the process that is followed when a customers forget their passwords, set Forgot password flow secure to one of the following:
  • Disabled

    Forgotten passwords can be managed only by the store administrator.

    By IP and Email

    The store sends the Admin user a request to confirm the password reset. The password can be reset by the user after the store receives confirmation from the email address associated with the Admin account.

    By IP

    The Admin password can be reset online without additional confirmation.

    By Email

    The Admin password can be reset only by responding to the notification sent to the email address associate with the Admin account.

g. To determine how many "forgot password" requests can be processed per hour from the same IP address, enter the number of allowed requests in the Forgot password requests to times per hour from 1 IP field.
h. To determine how many "forgot password" requests can be processed per day from the same email address, enter the number of allowed requests in the Forgot password requests to times per 24 hours from 1 email field.
3. In the panel on the left, under Advanced, select System.
4. Click to expand the CSRF protection section. To protect your store from cross-site request forgery attacks, set Add Secret Key to Url to “Yes.”

CSRF Protection
5. When complete, click the Save Config button.