Security Best Practices

Note: Spartacus 4.x is no longer maintained. Please upgrade to the latest version.

Note: Spartacus 4.x was tested with SAP Commerce Cloud versions 1905 to 2205. Spartacus 4.x has not been verified to work with (and is not guaranteed to work with) SAP Commerce Cloud 2211 or later releases.

When you are developing your Spartacus storefront, you can improve the security of your storefront application by implementing the security best practices described here and in the following pages:

• Content Security Policy
• Protection Against Denial of Service Attacks
• Token Revocation

Secure Authentication

A fundamental element of running a secure storefront with Spartacus is to deploy to a web server that provides and enforces encrypted communication through HTTPS. Spartacus does not enforce HTTPS through any kind of internal logic. This is a feature the web server must provide. User security can be vulnerable to threats if you deploy a Spartacus storefront on a server that allows Spartacus to communicate using the unencrypted HTTP protocol.

HTTPS encryption is especially important for user authentication and registration processes. Without the use of HTTPS, attackers may be able to exploit the transmission of user credentials.