Nous utilisons des cookies pour faire fonctionner CarphaCom, mémoriser vos préférences et mesurer les performances. Vous pouvez tout accepter, refuser les cookies non essentiels ou personnaliser votre choix.
Bientôt disponibleDéploiement en 1 clic sur Vultr MarketplaceM'avertir
CarphaCom
FR
Sign inStart free

Security Checklist

Run through this list before exposing your shop publicly, and review every quarter.

Network

  • [ ] Firewall: only :80, :443, :22 inbound. Block all others (ufw default deny).
  • [ ] SSH on port :22 restricted to your IP, or moved to a non-standard port.
  • [ ] PostgreSQL bound to localhost only (listen_addresses = 'localhost' in postgresql.conf).
  • [ ] Redis bound to localhost only and password-protected (requirepass).
  • [ ] No public access to :9000, :3001, :8000 — verify with nmap from outside.

TLS

  • [ ] Valid certificate from Let's Encrypt or your CA on port :443.
  • [ ] HTTP traffic redirects to HTTPS (return 301 https://... in nginx).
  • [ ] HSTS header set (Strict-Transport-Security: max-age=31536000; includeSubDomains).
  • [ ] TLS 1.2+ only — disable 1.0/1.1 in nginx ssl_protocols.
  • [ ] Cert auto-renewal cron in place (certbot renew --quiet).

SSH

  • [ ] Password login disabled (PasswordAuthentication no).
  • [ ] Root login disabled (PermitRootLogin no) — use sudo from a normal user.
  • [ ] Public-key auth only.
  • [ ] fail2ban installed and active.

Secrets

  • [ ] All .env.local files have mode 600, owned by the service user.
  • [ ] JWT_SECRET, COOKIE_SECRET, REVALIDATE_SECRET are 64-char random.
  • [ ] DB password is 32+ characters, unique per instance.
  • [ ] No secrets in git, in shell history, or in screenshots/issues.
  • [ ] Stripe live keys live only on the production box. Test/sandbox keys for staging.
  • [ ] License keys for installed plugins are encrypted in the DB (CarphaCom does this by default).

Application

  • [ ] Admin user uses a 16+ character password from a generator.
  • [ ] 2FA enabled on the admin panel (Settings → Security → 2FA).
  • [ ] Inactive admin sessions time out after 30 days.
  • [ ] Custom admin_users rows have only the permissions each user needs (least privilege).
  • [ ] Webhook signing secrets are rotated every 12 months.

Updates

  • [ ] OS auto-updates security patches enabled (unattended-upgrades).
  • [ ] CarphaCom platform auto-update for patch versions enabled.
  • [ ] All plugins updated within 7 days of a release (subscribe to vendor changelogs).
  • [ ] Quarterly review of installed plugins — uninstall anything unused.

Monitoring

  • [ ] Daily backup runs and reports success (alert on failure).
  • [ ] Disk usage alert at 80% of free space.
  • [ ] PM2 process restart alerts (pm2 install pm2-logrotate + your monitoring).
  • [ ] Failed login attempt rate alert (block at 10 in 5 min from same IP).
  • [ ] Uptime monitor against https://shop.example.com/health from outside.

Compliance (EU)

  • [ ] Cookie consent banner active (install Cookie Consent plugin).
  • [ ] Privacy policy + terms of service pages published.
  • [ ] GDPR data export and deletion endpoints tested (Customers → [customer] → Export / Erase).
  • [ ] If you process card data, your Stripe Elements integration keeps you in PCI-DSS SAQ-A scope (no card data ever touches your server).

Print this checklist, sign it, file it. Do it again every quarter.