Site security considerations

To enhance the security of the WebSphere Commerce site, we can enable various features in Administration Console or in the WebSphere Commerce configuration file.

• Enable timeout
  
• Enable password invalidation
  
• Encrypt data
  
• Enforce TLS Version 1.2
  
• Enable the X-Frame-Options header
  
• Enable cross-site scripting protection
  
• Enable cross-site request forgery in Spring
  
• Disable cross-site scripting protection for the Management Center
  
• Enable WhiteList data validation
  
• Enable cross-site request forgery protection in Struts
  
• Enable cross-site request forgery protection in REST
  
• Enable URL redirect filtering
  
• Enable access logging
  
• Enable SSL for outbound web services
  
• Encrypte data in custom code using EncryptionFactory
  
• Security consideration for the Internet Information Services (IIS) web server
  
• Web server security considerations
  
• Set up account related policies
  
• Enable password-protected commands
  
• Configure storefront Reset Password feature to use validation codes
  
• Prevent privileged users from logging in externally