Notifying EvolutionX
If you ever have a security question, a security incident, or a security complaint, please start a support chat in our Admin support chat and describe your complaint or question with us as much detail as possible. We take security of the platform seriously and we will quickly investigate and reply.
EvolutionX Admin Security & Compliance module
EvolutionX Admin Security & Compliance module provides important resources which how help you with your compliance obligations. Below you'll find a description of each section along with some additional advice for reporting security & compliance concerns or questions.
Compliance
We have resources available to help you with security and compliance obligations and we've organised relevant articles in our Data Protection knowledgebase here to help you on your compliance journey.
EvolutionX's Compliance Center in the Admin, your one-stop destination for essential compliance documents. In an ever-evolving regulatory landscape, we prioritize data security and adherence to industry standards.
Our collection of compliance resources, including the EvolutionX Processor Audit, PCI Certificate of Compliance, EvolutionX Infrastructure Highlights, and PCI Attestation of Compliance, empowers you to demonstrate your commitment to data protection and payment security. Download these documents to showcase your dedication to compliance and operational excellence.
Security Headers
Security headers are HTTP response headers that enhance the security of web applications by controlling various aspects of how a web page is displayed and accessed by browsers. These headers help protect against certain types of attacks and provide a way to set security-related policies for a website. I'll explain each of the security headers and provide best practice default values:
Referrer-Policy:
Default Value:
strict-origin-when-cross-origin
Purpose: The Referrer-Policy header controls how much information the browser should include in the HTTP Referer header when a user navigates away from a page. The Referer header typically contains the URL of the page that referred the user to the current page.
Best Practice Default Value:
strict-origin-when-cross-origin
directive is the same asstrict-origin
, although the HTTP Referer header will not be sent for cross-origin HTTP requests. When no policy is specified then this is the default value. It is also used if the specified directive is not understood.
X-Frame-Options:
Default Value:
DENY
Purpose: The X-Frame-Options header helps prevent clickjacking attacks by specifying whether a web page should be allowed to be displayed in a
<frame>
,<iframe>
,<embed>
, or<object>
. Setting it toDENY
ensures that the page cannot be embedded in any frame.Best Practice Default Value:
DENY
is a recommended default value to prevent the page from being framed, providing strong security against clickjacking attacks.
Content-Security-Policy:
Default Value: There isn't a single "best practice" default value for Content-Security-Policy (CSP) because it depends on the specific needs and requirements of your store. CSP allows you to define a set of directives that control which resources (e.g., scripts, stylesheets, images) can be loaded and executed by the browser. A strict CSP may initially block resources needed by your site, so it should be carefully configured based on your site's functionality.
Purpose: CSP is a powerful security feature that can mitigate various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It defines a policy that instructs the browser which domains are trusted sources for different types of content and scripts.