Hardening site security checklist

To harden the security of your HCL Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.

This is not an all-inclusive list of security measures for your site. This list is designed primarily to facilitate navigation of the HCL Commerce security section of the HCL Commerce documentation, and to highlight security considerations for HCL Commerce customizations and the secure configuration of other companion products. Further security hardening might be required to ensure the security of your site. For more information about security standards, see Security standards.

Development

This list is provided for the purposes of development. Ensure that your site customizations conform to the best practices laid out in the following topics:

Review the securing and developing sections of the HCL Commerce documentation. Ensure that you are aware of all security features and development best practices that are in place before you develop additions or customizations.
Ensure that proper access control is used in all customizations and additions. See, Implementing access control. For a closer look at how to avoid common pitfalls with access control, and for examples of correct implementation, see:
- DB2 security, Part 8: Twelve DB2 security best practices.
- Hardening Site Security – Implementing Access Control with Commands.
Reduce the threat of cross-site scripting attacks by ensuring that all output is encoded using the wcf:out tag. For more information about the out tag, see Tag: out. Alternatively, the standard c:out tag can also be used.
Enable cross-site request forgery protection to protect any sensitive actions. For more information about enabling cross-site request forgery protection, see Enabling cross-site request forgery protection in Struts, Enabling cross-site request forgery protection in REST, and Enabling cross-site request forgery in Spring.

Configuration

This list is provided for the purposes of site administration. Ensure that your site is configured to be hardened against common attack vectors with the following topics:

Protect your merchant and payment keys by using the Key Locator Framework (KLF).
Ensure that login timeouts are enabled for user sessions. To enable session timeouts, see Session timeout. This is even more critical if you have enabled multiple logon support.
Enable whitelist data validation for store URLs and REST calls to disallow non-conforming parameters. For information on whitelist filtering, see Enabling WhiteList data validation.
Ensure that cross-site scripting protection remains enabled. To ensure that this feature is enabled, see Enabling cross-site scripting protection.
Upgrade your database encryption to a stronger standard to reduce the chance of a successful brute force attack. For instructions on upgrading your database encryption, see Updating encrypted data in the database using MigrateEncyrptedInfo.
Implement business object thresholds to reduce the threat of denial of service attacks. For instructions on implementing business object thresholds, see Business Object thresholds.
Use the updateua utility to assign and restrict database permissions for essential control only. For more information about the updateua utility, see Update user authorization utility.
Ensure that password complexity rules and account lockout policies are in place. See, Setting up a password policy, and Setting up an account lockout policy.
Ensure that privileged users, such as customer service representatives and site administrators, are prevented from logging in to your site from external networks. For more information about controlling privileged users' access, see Prevent privileged users from logging in externally.
Ensure that the STORECONF table is only populated with non-sensitive store configuration data. This is due to the fact that it is intended to be accessible by unauthenticated store client code.

Deployment

This list is provided for the purposes of site deployment. Ensure that your site is configured to be hardened against common attack vectors with the following topics:

Ensure that your production environments use Kubernetes, and not any other form of Docker container orchestration. You must spend considerable time and effort architecting your Kubernetes deployment with consideration toward security hardening, load balancing, ingress routing, and performance tuning. For more information, see Deploying HCL Commerce Version 9.1 on Kubernetes.
Ensure that you have specified your own merchant key, key encryption key, session key, and spiuser password.
For more information, see:
- Environment data in Vault.
- Setting the spiuser password in your Docker images.
Limit system privileges by running your deployment as a non-root user. For more information, see HCL Commerce container users and privileges.
Enable vaultLoadDataWithSecret to improve the security of your Vault data. For more information, see Deploying a development Vault for HCL Commerce on Kubernetes.

Maintenance and operations

This list is provided for the purposes of site administration on an ongoing basis. Timely review and application of security and maintenance patches ensures that you are aware of ongoing security issues, and that your site is up-to-date and hardened against attacks that would otherwise succeed:

Subscribe to HCL Commerce security bulletins, and review all published security bulletins. For more information, see Security bulletins.
Ensure that you keep your product up to date with the latest maintenance fix packages. Pay particular attention to security-related bulletins.
Test your site thoroughly, and on an ongoing basis. Pay particular attention to any site customizations. Remember: Security is an ongoing process, not a product, or task that is ever complete.
Implement an encryption key rotation schedule, and ensure that the process is secure. This process reduces the chance of a successful brute force attack, and mitigates the potential outcomes of a compromised key. For information on how to change your encryption key, see MigrateEncryptedInfo utility.
Use the -passwordFile parameter for all command-line utilities that have such a parameter to limit the exposure of plain text passwords.

Other software

HCL Commerce is just one piece of a larger group of software that is required to run your site. Ensure that you correctly configure and harden all software that is part of your installation. Ensure that you are prompt with all maintenance and security releases. Any customizations made to these products must also adhere to the respective documented best practices.

Find flashes, alerts, and bulletins, and download fixes for all IBM products on the IBM Support Portal. See, IBM Support Portal.
Subscribe to receive critical product updates for any IBM product through email or RSS. See, Critical IBM software support updates.

Review the following documentation for each piece of software that you use for more security recommendations:

Note: This list is not exhaustive, and is limited to IBM products.

IBM Sterling Order Management
IBM HTTP Server
- Review and implement all standard web server security considerations. For web server security considerations, see Web server security considerations.
- Reduce the threat of click jacking by enabling the X-Frame-Options header. For instructions on enabling the X-Frame-Options header, see Enabling the X-Frame-Options header.
IBM Db2 Database
- Review Db2 security, Part 8: Twelve Db2 security best practices.