Often ignored but critical policies and architecture requirements for a secure and scalable Shopify Plus Headless Commerce Storefront.
As enterprise Shopify Plus stores embrace headless, it's imperative to emphasize all technology stack layers equally. The pros of going headless include better UX, increased speed, and customizable URLs, but all of those come with a tradeoff in complexity with architecture. While migrating a headless Shopify storefront to the AWS cloud gives room for additional freedom, flexibility, and scalability, the complex architecture leads to more security gaps that can be exploited.
Security in the cloud is one issue that has persisted with time. Various threat actors increasingly target cloud environments. This is not surprising because hackers unlawfully look to leverage the abundance of computing resources for their selfish gains. According to Checkpoint's 2022 cloud security report, 68% of cloud security vulnerabilities resulted from the client's misconfiguration. The deduction is that: a cloud environment's security depends significantly on how well an organization follows AWS Shopify security best practices to keep potential threats at bay.
In our experience, security is an intentional and necessary choice–a choice that saves time, money, and a lot of heartache if and when things go wrong. To be efficient and consistent, we’ve curated a list of security best practices and procedures to follow when configuring Amazon Web Services (AWS) infrastructure for Headless Shopify Plus storefronts. If you’re still exploring Shopify for your Headless Commerce storefront, please use our affiliate link to sign-up for a free trial.
1. Use AWS WAF and OAI to Control Direct Access to the Content
As the largest cloud computing platform, AWS understands the need for comprehensive security offerings. AWS web application firewall (WAF) is among their vast array of quality solutions. This service helps manage and control the HTTP and HTTPS requests forwarded to CloudFront, AWS’s native content delivery network. CloudFront distribution retrieves its contents from AWS S3 buckets to restrict unauthorized direct URL access to data stored in S3 buckets, it is recommended to create and configure Origin Access Identity (OAI) towards each CloudFront distribution. By creating an OAI and configuring the permission of S3 buckets to grant only the origin access identity (OAI) read permission, it will effectively ensure that files in S3 buckets are accessible strictly using CloudFront.
2. Create a Web ACL and Associate It With CloudFront Distributions
CloudFront allows privileged users to specify various conditions, including query strings, the IP address to which it responds with the requested content, or an HTTP error code if the content is out of reach. Creating an AWS WAF web access control list (web ACL) is a great way to manage the traffic directed to CloudFront, thereby minimizing the threat of outsiders accessing sensitive data in the business’s headless Shopify S3 bucket.
3. Add HTTP Security Headers Using Lambda@Edge and CloudFront
Security headers are another great way to exert security controls on how the server responds to various content requests. When a client visits the Shopify storefront, the server responds with the requested web page and HTTP headers carrying some preset configurations. Various security headers communicate with the client's browser to perform security checks and blocks as appropriate.
Some security headers include;
- Strict Transport Security—enforces modern web browsers to always connect via HTTPS (secure connection via SSL/TLS) and never connect via insecure HTTP protocols.
- Content-Security-Policy—stops XSS attacks and other threat activities by specifying which dynamic resources the browser allows loading.
- X-Content-Type-Options—enables supportive browsers to protect against MIME-type sniffing exploits.
- X-Frame-Options—helps modern web browsers protect visitors against clickjacking and other client-side threats.
- X-XSS-Protection—enables the XSS filter provided by web browsers, including Internet Explorer 8+, Chrome, Firefox, and Safari.
- Referrer-Policy—tells modern browsers how to handle or exclude the Referer header.
Sequence of events for triggering our Lambda@Edge function
Using Lambda@edge, AWS allows the execution of Lambda functions that will include security headers in the response sent by the server before CloudFront caches it and then serves it to the client. This measure will secure the AWS Shopify storefront from various attacks, including DDoS and XSS.
4. Write the Least Privileged IAM Policies
AWS Visual Policy Editor
Since AWS allows the creation of multiple sub-accounts for various employees or professionals who might need to access a cloud environment to discharge their duties, it is paramount to be able to manage them efficiently.
AWS Identity and Access Management (IAM) policies ensure that a central authority is able to control everyone who has access to the cloud environment and how much they can do with their sub-accounts.
It would be best to adopt the principle of the least privilege when configuring IAM policies. That is, do not grant excessive permission to any subaccounts. Social engineering is one of the most exploited points of attacks on cloud environments, so ensuring restrictive permissions to every sub-account in an AWS cloud environment is critical.
5. Create .env File for 3RD Party APIs to Avoid Auth Keys in Frontend Code
MAIL_DRIVER=smtp MAIL_HOST=smtp.gmail.com MAIL_PORT=587 MAIL_USERNAME=********** MAIL_PASSWORD=*********** MAIL_ENCRYPTION=tls MAIL_FROM_ADDRESS=******** MAIL_FROM_NAME="Your App Name" DEFAULT_LANG_CODE=en API_URL=http://localhost:8082/api/v1 EXT_APP1_USERNAME=******* EXT_APP1_PASSWORD=******* EXT_APP1_API_KEY=******** EXT_APP1_SOAP_URL=******* EXT_APP2_TOKEN=******** EXT_APP2_SECRET=******* EXT_APP2_USERNAME=***** EXT_APP2_PASSWORD=***** EXT_APP2_MESSAGING_ACCOUNT_ID=***** EXT_APP2_APPLICATION_TOKEN=******** EXT_APP2_FROM_NUMBEr=********** EXT_APP2_API_URl=https://ext-app2-uri.com/api/ EXT_APP2_SITE_ID=***** EXT_APP2_CALLBACK_URL=http://localhost:8082/api/v1/app2/callback PAGINATION_LIMIT=10
To avoid such a disastrous scenario as an attacker gaining access to the system and stealing sensitive user credentials, API keys should be kept in a .env file. This can be achieved by:
- Creating an .env file at the root of the project
- Adding all API keys to it,
- Including it in the project’s .gitignore file.
This will ensure that sensitive API keys don't push to an online repository and, eventually, avoid pushing it to the Headless Shopify AWS distribution.
6. Enable CloudTrail in All AWS Regions
As a growing business that serves users across countries and regions, compliance with various GDPR, PCI, and SOC Type 2 regulations and security benchmarks is inescapable. CloudTrail helps to ensure the security of the business by verifying user compliance in these regions. It also monitors user activities and records events from the client-side of a Shopify store. AWS CloudTrail also helps detect unauthorized access using cloud events and responds proactively to security incidents with preset rules in CloudTrail's EventBridge. Likewise, it also makes it easy to perform root analysis of incidents and discover unusual activities.
7. Configure Amazon CloudWatch and GuardDuty
How Amazon CloudWatch works
AWS CloudWatch allows users to quickly and feasibly monitor the Shopify AWS environment without needing to set up a monitoring and logging tool from scratch. To extend the monitoring ability of CloudWatch, it is recommended to additionally configure Amazon GuardDuty, a threat detection system that ensures continuous monitoring of the AWS environment for malicious threats and irregular behavior. By integrating GuardDuty with Cloudwatch, visualization of Amazon GuardDuty metrics will be effortless, thereby making it straightforward to trigger automatic alerts, responses, or notifications.
8. Enable Multi-Factor Authentication on All Sub-accounts
With multiple employees having access to the headless Shopify AWS environment, the risk of an attack via social engineering increases proportionally. As a second-level access control measure, enable two-factor authentication for all accounts/sub-accounts in the AWS Shopify Plus cloud environment.
Security in the cloud is not a one-time fix. It is a continuous and inclusive process that everyone who has access to the AWS infrastructure must participate in. Stakes are even higher for Headless Shopify storefronts relying on seamless hosting of their frontend environments. In addition to the checklist above, it’s beneficial to approach AWS configuration early-on using a “Security by Design” approach.
“Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing.”
Security by Design (SbD) refers to the AWS-recommended process to security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It highlights the need for:
- Analyze carefully all the primary requirements and specifications,
- Build an AWS cloud architecture that systematically enforces security while excellently serving the core business requirements of your Shopify storefront, pro tip: use AWS Control Tower,
- Define strict configurations and reusable templates for all services required for maintaining and scaling your Headless Storefront,
- Perform validation activities using the rules defined in your templates as an audit guide.
How can AKOS help?
At AKOS, we pride ourselves on building accessible, secure, and scalable software solutions. While security considerations and implementations are often extensive and expensive, our well-defined processes and checklists have helped us establish foundational practices we can deploy quickly and efficiently. We're happy to share our expertise and security templates with you; just Say Hello!