Security measures

The security of our applications and systems is our top priority. In this article, we provide a detailed look at the various security measures currently implemented in Shopware. A thorough knowledge of these measures is critical to ensure the integrity, confidentiality, and availability of our services. Below you will find a summary of the current security measures as well as the necessary details.

Rate limiter

Shopware 6 provides certain rate limits by default that reduce the risk of brute force attacks on pages such as login or password reset. The configuration of these rate limiters is done via the Shopware 6 bundle configuration in the file "shopware.yml", where different limiters can be defined for specific actions.
You can see what these are and how they can be configured here.

Storefront IP Whitelisting

In Shopware, you can temporarily disable sales channels to temporarily disable access for visitors and the API, and also enable maintenance mode that only displays a maintenance page. When using a proxy server, it is important to set the proxy IP as a trusted proxy in the .env configuration file or PHP settings to use the IP whitelist feature correctly.
You can find more information about this here.

Prevent XSS by HTML Sanitizer

With Shopware version 6.5, an HTML sanitizer has been implemented. This sanitizer improves the security, reliability, and usability of the editor by removing unsafe HTML code. It also sanitizes styles and attributes for consistent and correct code rendering regardless of platform and browser.  
You can find more information here

Prevent SQL Injection

Using user input to communicate with a database poses security risks because databases allow powerful commands that should not be executed by every website user, and the data in the database could contain sensitive information. A particularly dangerous security issue related to databases is the possibility of SQL injections, where an attacker can execute new SQL statements or modify existing ones to access unauthorized information. Doctrine DBAL and ORM cannot prevent such attacks if the developer is careless, and it is critical to understand the SQL injection issues and take appropriate action. The use of prepared statements to safely use user input in SQL or DQL queries is recommended, instead of dangerous string concatenation or quoting/escaping values.
You can find more information about this here.

API aware fields, entity write protection

Previously, a protection pattern was applied to entities to determine which fields are available through the APIs. By default, all fields are enabled for the /admin API, while for the /store-api and /sales-channel-api, you can specifically specify which fields should be visible. This is made possible by customizing the flags, where adding or removing flags affects the API visibility of the fields.  
More information about this can be found here.  
A reference of all available flags can be found here.

SameSite Cookies

The SameSite configuration in the Symfony FrameworkBundle replaces the sw_csrf Twig function and controls cookie security by default in modern browsers. Cookie security and SameSite settings can be customized in the framework.yaml file, disabling the SameSite protection feature if needed.  
You can find more information about this here. hier

GDPR compliance

The European General Data Protection Regulation (GDPR) came into force on May 25, 2018, replaced national data protection regulations and affects companies in the EU that work with personal data such as names, addresses and bank data. The aim of the GDPR is to promote consistent processing of personal data to ensure transparency and enhanced protection of consumer data.   
This docu-article provides a summary on the processing of personal data in Shopware 6 to facilitate the creation of documentation and privacy statements for Shopware instances.

Shopware 6 Security Plugin

The Security Plugin provides an alternative way to get all the security-related improvements without the need to upgrade to the latest version of the Shopware platform.
You can find the plugin here
You can find more information about it here.


In Shopware you can decide which captchas should be used in your registration and in the store to make sure that the user is a human and not a bot or a script. You can rely on one captcha solution or choose several to be applied. 
You can find more information about it here.

Was this article helpful?