|
The 'General settings/Security options' page allows you to adjust options that affect your store security (options that affect encryption methods used in your store, HTTPS options, etc) and to test the encryption of data by PGP/GnuPG.
General security options
| ▪ | Order emails encryption method: Method that you wish to be used for encrypting order emails. |
| ▪ | Comma separated list of file extensions disallowed for uploading: A comma separated list of disallowed file extensions (For example, php, pl, cgi, asp, exe, com, bat, pif). Uploading onto the server of files with these extensions will not be possible. |
| ▪ | Check if payment gateway response is coming from the IP's specified here (enter a comma separated list): A comma separated list of IP addresses from which payment gateway responses can be accepted. |
| ▪ | Blowfish encryption method is enabled: Enabling this option enables Blowfish encryption for order details. As soon as you select the check box and click the Save button, you are redirected to a page where you are offered to create a Merchant key - a password which is used by X-Cart to encrypt and decrypt order details using Blowfish encryption method. After you create a Merchant key, all the order details in your store are re-encrypted using this new key. |
Important: You will be supposed to enter your Merchant key as a password every time you try to access order details. Make sure you keep your Merchant key in a secure place. If you forget your Merchant key, all the order details stored in your database will be lost, as you will not be able to decrypt them. Please also be aware that the 'Blowfish encryption method is enabled' option cannot be disabled without a valid Merchant key.
| ▪ | Check MD5 of compiled templates for better store protection at a shared hosting: If selected, a special routine checks if MD5 checksums of the compiled templates of pages served to a user's web browser match the authentic checksums for these templates. If the sums for a certain compiled template do not match, the template is discarded and compiled anew. Compiled templates whose MD5 checksum does not match the authentic one are considered potentially harmful: the detected checksum mismatch indicates that the PHP code of such templates has been altered and may possibly contain malicious code. |
Note: Enabling this option is recommended if your X-Cart is installed at a shared (public) hosting.
HTTPS options
| ▪ | Use HTTPS for users' login and registration: If selected, existing users log in to the store and new users get registered using HTTPS. |
| ▪ | Use secure login form on a separate page (HTTPS): If selected, your store's authorization pages will provide links to special secure login pages allowing users to log in to the store using HTTPS. |
| ▪ | Do not redirect customers from HTTPS to HTTP: If selected, customers use HTTPS all the time while using your store. You can unselect this check box if you want to enable redirection of customers to HTTP for pages where security is not required. |
PGP options
| ▪ | Home path: Path to PGP home directory (a directory where PGP configuration file and keyrings are stored). |
Note: All the files in PGP home directory must be owned by the user under which PGP is running (usually Web server) and must have UNIX 0600 permissions. The directory itself must have 0700 permissions.
| ▪ | PGP binary path: Path to PGP executable. |
| ▪ | PGP user id: Your user ID (an ASCII string used to identify a user). |
| ▪ | PGP public key: Public key that will be used to encrypt your data (After you paste your public key into this field and click the Save button, the key will be added to your public keyring). |
| ▪ | Use PGP version 6: Selecting this check box enables you to use PGP version 6. |
GnuPG options
| ▪ | Home path: Path to GnuPG home directory. |
| ▪ | GnuPG binary path: Path to GnuPG executable. |
| ▪ | GnuPG user id: Your user ID. |
| ▪ | GnuPG public key: Public key that will be used to encrypt your data. |
P3P options
This section allows you to define your store's privacy policy. P3P enabled web browsers will use the information provided in this section to decide how to interact with your store site. For example, Microsoft Internet Explorer 6 can compare your store's privacy policy with the user's stored preferences to decide whether or not to allow cookies from your store site.
| ▪ | P3P compact policy data: Your store's compact privacy policy (will be included in the HTTP header). |
| ▪ | P3P policy reference file url (leave empty if not used): URL of your store's P3P policy reference file. |
Note: More information about P3P is available at W3C P3P site (http://www.w3.org/P3P/).
Test data encryption
This section allows you to test whether PGP/GnuPG encryption is working correctly. For details, see the chapter PGP/GnuPG of this manual.
|