Client-side Security Implications of running an eCommerce Site

Sharing is Caring!

Running an eCommerce site is an exciting and essential way to expand your business. While most small businesses prefer to piggyback on existing platforms like Amazon, Etsy, or eBay to keep costs to a minimum, an increasing number of medium-sized organizations are building their own.

Building an eCommerce site is a fantastic way to sell your products or services, especially if your business is in a niche area. Perhaps you sell electronic components that are complex to classify on general platforms, or you offer made-to-order handmade furniture, and your pieces are bespoke to each client. Or maybe you have a killer idea for a new way to present your products that standard platforms just don’t offer.

Whatever your reason, security is a key aspect to building customer trust, and while there is a lot of information on the web about server-side security, there is less on the client-side. In this article, we look at a few aspects to consider.

SSL and TLS

Technically, Secure Socket Layers (SSL) has already been deprecated in favor of Transport Layer Security (TLS), which is already in its fourth iteration, though it is common that these terms are used interchangeably. These protocols refer to the security certifications used on your site where data is exchanged on ports 80 (default, unsecure) and 443 (secure). As well as applying security certificates to your servers and/or services, it is best practice to redirect any traffic-making requests to port 443 so all traffic (other than any initial client-side requests) are guaranteed to run over the secure port.

See also  Department of Homeland Security is standing up a new Disinformation Governance Board to coordinate countering misinformation

This means that port 80 should be left open in your firewall settings to initiate the redirect. Some systems managers prefer to shut it off completely, but this is poor practice commercially as any requests made from users over HTTP (rather than HTTPS) will be lost and potentially result in lost sales.

Email Security

One area not under the control of the eCommerce platform is email security. Email is a common target for phishing and virus attacks on client-side computers and tablets. Generally, both attack types are designed to do the same thing: to steal access or data. Viruses do this by installing a small program on the client computer, though phishing attacks can be much more subtle. They may:

  • Include a link to reset (and therefore capture) your login details
  • Ask you to send your login details. Often this is portrayed as an important and beneficial reason for the recipient, such as verification of the details
  • Links to download a file
  • Urgent reasons to click on a link or send your details e.g., a prize draw or event

While eCommerce sites have extraordinarily little control over attempts of these natures, they can help by giving advice on how users can be more vigilant to phishing attacks. 

We can all play our part in preventing spam, junk, and phishing. More recently, many email providers have introduced the reporting of phishing attacks, virus, and junk mail. This is a powerful tool in the war against these attacks as the providers can automatically aggregate the results to become much better at auto-detecting communications of these types. So, the more data users provide, the fewer junk emails they are likely to receive.

See also  OK Reality Time: Food Security is Part of National Security. Impeach Biden if He Can't Handle the Job

In this brief article, two aspects of client-side security for eCommerce providers have been explored. Many other options and techniques are available, including installing antivirus and antimalware software, JavaScript vulnerabilities, minimization of form data collection, cross-site scripting attacks, and payment skimming. ECommerce companies have a moral and sometimes legal obligation to protect their users as much as possible. And let’s not forget that eCommerce sites profit from their users, so ensuring their data is as secure as possible is the right thing to do.

Disclaimer: This content does not necessarily represent the views of IWB.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.