Knowledgebase
Home » Item #988
How do I setup CactuShop securely?
Question
I have setup my store but I want to know I've address the basic security issues. What do I need to look at?
Answer
The free trial is designed to be easy to setup and test. Once you get the full CactuShop files, you should pay attention to security issues. The vast majority of security issues we see are unsafe setup of Access databases.
1. Access database placement
The most common security issue we see is that the Access database file is located on the web space. If an attacker finds this file (and there are ways to do this) then he can download it. This will give him access to your data, including usernames and passwords.
For this reason, you MUST ensure that your Access database cannot be downloaded from the web site.
There are several ways to do this. The best is to use the DATA or _PRIVATE folders that most web hosts provide on Windows hosting. You will need to adjust the strPathToDatabase setting in your config.asp file accordingly.
For example, if the DATA folder is level with the webroot, your database path might be:
../data/cactushop6.mdb
If the _PRIVATE folder is on the webroot, the database path might be:
_private/cactushop6.mdb
2. Access database file type
Some hosts do not provide a DATA or _PRIVATE folder to protect data from download. In this case, you can try an alternative method. Simply change the file type extension of your Access mdb file to .asp, for example cactushop6.asp. Then change the database path in your config.asp to reflect this name change. On most Microsoft servers, any attempt to download this file by typing the path in the browser will generate an ASP error (because the file is not actually an ASP). However, the file itself will still work fine as a database. However, you must ensure the folder holding this file is set to run scripts. Otherwise you will serve the source of the ASP file (which is actually an Access database) to the browser.
3. Back end security
Once your database is setup securely, you need to consider ensuring an attacker cannot gain entry through the back end login system.
The first step is to ensure that you choose usernames and passwords for the admin accounts that are not likely to be guessed.
If you only access the store from a fixed IP address, you can set this in the config.asp. There are comments to guide you. This is extremely effective security in our experience, but can be a little inconvenient if you need to access the store from work and from home for example.
4. Test your system
The final step is to test your setup. None of the measures above should be assumed to achieve success without any testing. Type the full path to your Access database into a browser (if in a _PRIVATE folder, or if the file type was changed to a .asp). You should not get a 'save' dialogue popup. Instead, some kind of error message should appear.
If you get garbled text rather than a plaintext error, then this is not enough. You need to see a simple script error.
The above does not guarantee that there will not be other security issues. For example, we strongly advise against storing credit card details and SSL must certainly be used if card details go through your web site.
If you are in any doubt about the security of your site or have any other security questions, please open a support ticket and we'd be happy to do some basic checks ourselves for you.