We use cookies to make CarphaCom work, to remember your preferences, and to measure performance. You can accept all, reject non-essential cookies, or customise your choice.
Coming Soon1-Click Deployment on Vultr MarketplaceGet notified
CarphaCom
GB
Sign inStart free

Security Checklist

Run through this list before exposing your shop publicly, and review every quarter.

Network

  • [ ] Firewall: only :80, :443, :22 inbound. Block all others (ufw default deny).
  • [ ] SSH on port :22 restricted to your IP, or moved to a non-standard port.
  • [ ] PostgreSQL bound to localhost only (listen_addresses = 'localhost' in postgresql.conf).
  • [ ] Redis bound to localhost only and password-protected (requirepass).
  • [ ] No public access to :9000, :3001, :8000 — verify with nmap from outside.

TLS

  • [ ] Valid certificate from Let's Encrypt or your CA on port :443.
  • [ ] HTTP traffic redirects to HTTPS (return 301 https://... in nginx).
  • [ ] HSTS header set (Strict-Transport-Security: max-age=31536000; includeSubDomains).
  • [ ] TLS 1.2+ only — disable 1.0/1.1 in nginx ssl_protocols.
  • [ ] Cert auto-renewal cron in place (certbot renew --quiet).

SSH

  • [ ] Password login disabled (PasswordAuthentication no).
  • [ ] Root login disabled (PermitRootLogin no) — use sudo from a normal user.
  • [ ] Public-key auth only.
  • [ ] fail2ban installed and active.

Secrets

  • [ ] All .env.local files have mode 600, owned by the service user.
  • [ ] JWT_SECRET, COOKIE_SECRET, REVALIDATE_SECRET are 64-char random.
  • [ ] DB password is 32+ characters, unique per instance.
  • [ ] No secrets in git, in shell history, or in screenshots/issues.
  • [ ] Stripe live keys live only on the production box. Test/sandbox keys for staging.
  • [ ] License keys for installed plugins are encrypted in the DB (CarphaCom does this by default).

Application

  • [ ] Admin user uses a 16+ character password from a generator.
  • [ ] 2FA enabled on the admin panel (Settings → Security → 2FA).
  • [ ] Inactive admin sessions time out after 30 days.
  • [ ] Custom admin_users rows have only the permissions each user needs (least privilege).
  • [ ] Webhook signing secrets are rotated every 12 months.

Updates

  • [ ] OS auto-updates security patches enabled (unattended-upgrades).
  • [ ] CarphaCom platform auto-update for patch versions enabled.
  • [ ] All plugins updated within 7 days of a release (subscribe to vendor changelogs).
  • [ ] Quarterly review of installed plugins — uninstall anything unused.

Monitoring

  • [ ] Daily backup runs and reports success (alert on failure).
  • [ ] Disk usage alert at 80% of free space.
  • [ ] PM2 process restart alerts (pm2 install pm2-logrotate + your monitoring).
  • [ ] Failed login attempt rate alert (block at 10 in 5 min from same IP).
  • [ ] Uptime monitor against https://shop.example.com/health from outside.

Compliance (EU)

  • [ ] Cookie consent banner active (install Cookie Consent plugin).
  • [ ] Privacy policy + terms of service pages published.
  • [ ] GDPR data export and deletion endpoints tested (Customers → [customer] → Export / Erase).
  • [ ] If you process card data, your Stripe Elements integration keeps you in PCI-DSS SAQ-A scope (no card data ever touches your server).

Print this checklist, sign it, file it. Do it again every quarter.