Secure Server Configuration

Learn how to configure your X-Cart server to be more secure.

Olga Tereshina avatar
Written by Olga Tereshina
Updated over a week ago

In general, you should limit access to the server as much as possible. Use restrictive permissions, set up the right owner for the site files.

Why X-Cart Asks for 666/777 Permissions?

The default UNIX 666/777 permissions, which X-Cart asks to set, don’t consider security requirements. They are provided to achieve a seamless installation and upgrade procedure and cannot be tailored for your specific server configuration. Once the installation process is complete, you should set at least 644 permissions for the files and 755 permissions for the folders.

The reason for the 666 or 777 number is to ensure that folders and files are operatable, even if the wrong owner user is set (which is the pretty common case on some servers). The right thing to do is to perform chown command on the X-Cart folder, but the software itself can’t determine the right user to suggest you.

Apache-Specific Settings

If you are using the Apache2 server, most of the security settings are already set by .htaccess files inside folders.

Nginx-Specific Settings

Lock some directories from web access using these directives in the server {} section.

location ^~ /classes { 
location ~* \.(png|svg) {
try_files $uri =404;
}
return 403;
}

location ^~ /files {
location ^~ /files/attachments {
try_files $uri =404;
}
location ^~ /files/vendor {
try_files $uri =404;
}
return 403;
}

location ^~ /images {
location ~* \.(jpg|jpeg|gif|png|bmp|ico|tiff|flv|swf|svg|pdf) {
try_files $uri =404;
}
return 403;
}

location ^~ /skins {
location ~* \.(tpl|twig|php|pl|conf) {
deny all;
}
try_files $uri =404;
}

location ^~ /var {
location ~* \.(gif|jpe?g|png|bmp|css|js) {
try_files $uri =404;
}
return 403;
}

location ~ /(vendor|sql|lib|etc|Includes)/ {
deny all;
}

location ~ /var/(export|import)/ {
deny all;
}

location ^~ /service/ {
location ^~ /service/static/ {
try_files $uri =404;
}
return 403;
}

If your site is placed in a subdirectory of your webroot, you should provide the path relative to web-root for each folder in location ^~ lines like this: location ^~ /xcart/classes.

Did this answer your question?