Magento PWA & Headless eCommerce Security

The year is 2020, and the future is headless. 

…Well, the future of eCommerce, at least. Indeed, headless development has picked up a significant momentum – and for all good reasons. By decoupling front-end and back-end, it allows for multiple benefits, including

  • greater flexibility when adapting new eCom features and strategies 
  • reduced development costs and time-to-market
  • easy re-platforming 
  • more personalized customer experience
  • and much more.

All in all, the industry is set on making the most of headless eCommerce, even though it comes with a certain learning curve, extra tech, and additional layers of complexity. There is clearly a demand for the new capabilities it uncovers, and, technologically, we are starting to see solutions that offer headless support out-of-the-box. Such is the case with Magento 2 and PWA, readily compatible with the release of Magento 2.

Still, data security remains a top priority and a responsibility of dev teams involved in specific projects. Below is a summary of the recent security highlights from the team behind ScandiPWA (a dedicated open-source PWA theme for Magento) and ReadyMage (a tool built for quick deployment of Magento+ScandiPWA projects in Kubernetes cluster).

Data transmission over HTTPS

ScandiPWA uses a service worker acting as a smart network proxy between the front-end and back-end. However, if, at some point, the control of the service worker is taken over by a third party, it can be exploited for a man-in-the-middle attack.

Data travel in ScandiPWA occurs only over HTTPS protocol. This way we make sure that all data exchanged between the browser and Magento back-end is securely encrypted. Additionally, to ensure that the data received by service workers has not been tampered with, service workers can only be registered on pages served over HTTPS.

Sensitive data security

ScandiPWA uses OAuth 2.0 to generate and validate user tokens for sensitive data requests. All such requests are passed only via the POST method and are not cached.

It is critical that sensitive data, such as Cart or Session tokens, is not stored in the URL, and we take measures to ensure that.

Token and authorization data

Since Magento 2 configuration file is used for configurable parameters, ScandiPWA doesn’t pass or use any configuration files that could potentially hold sensitive data (such as access keys). 

This type of configuration data is stored in Magento 2 configuration file and is requested whenever it is necessary.

Free from Magento 2 front-end security flaws

ScandiPWA serves as a full replacement of the original Magento 2 front-end. Thus, it is not exposed to any Magento 2 front-end security flaws. 

All the benefits of modern browsers

Since ScandiPWA is a pure web application, it automatically inherits the features and capabilities of the browser it runs in. This includes usability, performance, and, of course, security. Therefore, it is important to use ScandiPWA with modern up-to-date browsers to assure maximum security.

Secured access to ElasticSearch and Redis

Readymage offers an easy 1-click setup of complete AWS infrastructure with ScandiPWA and Magento 2. 

Since ScandiPWA uses ElasticSearch and Redis, Readymage is configured not to have any public API endpoints to these applications. Instead, we have enabled controlled private API access, granted strictly on-demand to the applications that lie within the project namespace.

Curious to learn more about ScandiPWA? Looking for a PWA solution for your eCommerce store? Let us help you! 

To learn all about PWA, check our complete PWA guide.

Feel free to drop us a line at info@scandiweb.com, or schedule a call with one of our staff to see how we can help you!

If you enjoyed this post, you may also like