Table of Contents
Security & Privacy Considerations for FoxyCart Stores
With any complex system there are things that might not be immediately obvious but are nonetheless important to understand and consider to ensure you're making the best decisions for your project. This is especially true with ecommerce, which collects sensitive information. None of the information on this page is intended to scare you; rather, it's to help you make good decisions based on your unique needs.
Because of how FoxyCart's checkout works in determining automatically if a user is a returning customer or not, it would be possible for an attacker to enter an email address and see if that email is attached to a saved customer account. For example, if you enter firstname.lastname@example.org onto the checkout, it will respond differently if that email is new versus if that email is from a returning customer.
If you're selling items that people might want to keep private, you may want to force guest checkouts only, so no email is ever saved in this way.
This is a somewhat common issue across the internet, and the alternative is to provide a very poor user experience in most situations. Example: You visit the checkout, enter your email and password, and get an error. But the error doesn't tell you if the email is wrong, or the password is wrong. You have no idea which email you even used, because the system doesn't want to leak this data. So you're left scratching your head wondering which of your 5 email addresses you actually used to register last year, or whether you registered at all. That's not conducive to a quick and easy checkout process, but if you don't want this potential privacy concern you can force guest checkout only.
(Also, to be clear: The attacker would have to know the email address ahead of time. We're not saying that an attacker can discover all the email addresses for all your customers.)
Personal Information accessible via Receipt
Receipt URLs can be accessed without authentication. By default, receipts are loaded in such a way as to make them non-revisitable. In other words, during a normal checkout flow, the way the receipt appears in the browser's history will not allow revisiting it. In that way, any potential attack vector would require privileged access in the browser, at which point an attacker would already have all the info anyway.
A link to a receipt is contained in the email receipt that is sent to the customer, but if an attacker has access to the email, they already have access to the PII in the web receipt.
If you're exceptionally concerned about the security of the web-based receipts, however, you can change your receipt template to simply not output any data at all, and/or redirect to your own system to handle a receipt display using our outgoing SSO functionality.
Since the cart contents persist via a cookie, it could be seen by others on a shared computer. If this is a problem, avoid products that have personal information in the options, or use the
empty=reset functionality where available to clear the session entirely.
/cart endpoint allows JSONP requests without checking for an origin or referrer header, so it would be possible for a malicious website to access your customers' cart contents. For this reason, we recommend against collecting personal information as product options.
Please give this primer a read. It's good stuff.