Magento 2 Security
Before writing code
Fetch live docs:
- Web-search
site:experienceleague.adobe.com commerce securityfor security best practices - Web-search
site:developer.adobe.com commerce php development securityfor developer security guide - Web-search
magento 2 security patches latestfor recent security updates
Content Security Policy (CSP)
What It Does
Protects against XSS and code injection by restricting which resources (scripts, styles, images, fonts) can load.
Configuration
etc/csp_whitelist.xml— whitelist external domains per CSP directive- Modes: report-only (logs violations) and restrict (blocks violations)
- Directives:
script-src,style-src,img-src,font-src,connect-src,frame-src
Adding Allowed Sources
Whitelist third-party domains for payment gateways, analytics, CDNs:
- Declare in
csp_whitelist.xmlunder the appropriate directive - Use
report-onlymode first to identify missing whitelists
Two-Factor Authentication (2FA)
- Mandatory for all admin users since Magento 2.4.0
- Supported providers: Google Authenticator, Duo Security, Authy, U2F keys
- Rate limiting on OTP validation (configurable retry limit and lockout)
- Cannot be disabled in production (security requirement)
CSRF Protection
form_key— 16-character token included in all admin forms- Validated on every POST request in admin
- SameSite cookie attribute prevents cross-site request forgery
- Admin Secret Key in URLs adds additional protection
Admin Security Configuration
Available at Stores > Settings > Configuration > Advanced > Admin > Security:
- Custom admin URL path (obscure the
/adminpath) - Add Secret Key to URLs
- Password lifetime (force periodic changes)
- Max login failures before lockout
- Lockout duration
- Session lifetime
- Allowed countries for admin access
Input Validation and Output Escaping
Input Validation
- Validate all user input on the server side
- Use Magento's validation classes and form validators
- Never trust client-side validation alone
- Validate types, lengths, formats, and allowed values
Output Escaping (XSS Prevention)
In PHTML templates, always escape output:
$escaper->escapeHtml($value)— HTML context$escaper->escapeUrl($url)— URL context$escaper->escapeJs($value)— JavaScript context$escaper->escapeHtmlAttr($value)— HTML attribute context$escaper->escapeCss($value)— CSS context- Never use
echo $valuedirectly in templates
reCAPTCHA
- Native Google reCAPTCHA v2/v3 support since 2.3
- Configurable per form: login, registration, forgot password, checkout, contact
- Admin configuration at Stores > Configuration > Security > reCAPTCHA
API Security
- Bearer token authentication for REST/SOAP
- ACL-based authorization for all endpoints
- Rate limiting on authentication endpoints
- OAuth 1.0a for third-party integrations
Best Practices
- Apply security patches promptly — subscribe to Adobe Security Bulletins
- Use a custom admin URL (not
/admin) - Enable 2FA for all admin accounts
- Set strong password policies (length, complexity, expiry)
- Use HTTPS everywhere (frontend + admin)
- Restrict admin access by IP where possible
- Enable CSP in restrict mode (not just report-only)
- Escape all output in templates
- Keep Magento and all extensions up to date
- Run periodic security scans (Adobe Security Scan Tool)
- Review third-party extensions for security before installing
Fetch the security documentation for current CSP directives, 2FA configuration options, and latest security patches before implementing.