Magento 1.x Software Support Notice
For Magento Commerce 1, Magento is providing software support through June 2020. Depending on your Magento Commerce 1 version, software support may include both quality fixes and security patches. Please review our Magento Software Lifecycle Policy to see how your version of Magento Commerce 1 is supported.
The security settings give you the ability to control the lifetime of user sessions, timeouts, and passwords; and and whether to allow your Magento store to run in a frame. (This setting can prevent clickjacking.) In addition you can add a secret key to URLs, and determine the case sensitivity of login credentials.
For security reasons Magento strongly recommends against running your store in a frame.
To configure Admin security:
|1.||On the Admin menu, select System > Configuration.|
|2.||In the panel on the left, under Advanced, select Admin.|
|3.||Click to expand the Security section, and do the following:|
|a.||To append a secret key to the Admin URL to protect against exploits, set Add Secret Key to URLs to “Yes.”|
|b.||To require the characters in login credentials to match case of those that are saved in the system, set Login in Case Sensitive to “Yes.”|
|c.||In the Session Lifetime (seconds) field, enter the number of seconds before a user session expires.|
|d.||To prevent “clickjacking,” we recommend that you set the following fields to “Only from same domain.”|
- Allow Magento Backend to run in frame
- Allow Magento Frontend to run in frame
As a best security practice, it is recommended that you do not allow any live store to run in a frame or iframe.
|e.||To protect the Admin from automated attacks, set Admin routing compatibility mode for extensions to "Disable."|
|f.||To determine the process that is followed when a customers forget their passwords, set Forgot password flow secure to one of the following:|
Forgotten passwords can be managed only by the store administrator.
By IP and Email
The store sends the Admin user a request to confirm the password reset. The password can be reset by the user after the store receives confirmation from the email address associated with the Admin account.
The Admin password can be reset online without additional confirmation.
The Admin password can be reset only by responding to the notification sent to the email address associate with the Admin account.
|g.||To determine how many "forgot password" requests can be processed per hour from the same IP address, enter the number of allowed requests in the Forgot password requests to times per hour from 1 IP field.|
|h.||To determine how many "forgot password" requests can be processed per day from the same email address, enter the number of allowed requests in the Forgot password requests to times per 24 hours from 1 email field.|
|4.||In the panel on the left, under Advanced, select System.|
|5.||Click to expand the CSRF protection section. To protect your store from cross-site request forgery attacks, set Add Secret Key to Url to “Yes.”|
|6.||When complete, click the Save Config button.|