SuiteCommerce Site Security Best Practices

suitecommerce-site-security

Site security is a big topic these days. Based on an analysis of 7 million websites, SiteLock reported that websites experience 94 attacks per day, and are visited by bots 2,608 times a week on average. But how can we protect our website from these threats?

With SuiteCommerce, NetSuite offers a strong, cloud-based solution for managing eCommerce stores, but securing your site requires more than just activating default settings. Today, we’ll share some of our best practices to keep our clients’ SuiteCommerce sites safe while maintaining a pleasant, seamless shopping experience for customers.

1. Use HTTPS Everywhere

This is no longer an option, but a must-do. In fact, just recently, NetSuite stated it would end the support of non-secure website domains, meaning those without HTTPS domains. An SSL certificate not only encrypts data between your users and your site, but it also enhances trust and improves SEO rankings. 

NetSuite provides SSL support, but it’s your job to make sure it’s correctly configured and that all assets (scripts, images, etc.) load securely. Additionally, make sure to automatically redirect HTTP traffic to HTTPS and regularly monitor for any mixed content issues.

2. Two-Factor Authentication (2FA)

For optimal security, SuiteCommerce Admin roles should be protected with Two-Factor Authentication. This extra login step adds an additional layer of security by requiring users to provide a second verification method (normally a mobile app code or so). Ask all users with access to critical areas, such as developers and third-party integrators, to install 2FA.

3. Keep Site Up to Date

Just like any software, your SuiteCommerce themes and extensions should be kept updated. NetSuite periodically releases updates to patch security issues or improve performance. For maximum optimization, we strongly recommend working with a NetSuite partner like us who will make sure you stay up to date with NetSuite news and improvements.

4. Role-Based Access Control

SuiteCommerce allows for role-based access control, meaning you can grant access and permissions based on necessity according to roles. This helps limit exposure if a user account is compromised. We recommend reviewing roles and permissions regularly, making sure to remove or downgrade access when no longer needed.

5. Secure Custom Code and Integrations

Whether you’re adding custom JavaScript, integrating third-party APIs, or working with external developers, make sure you validate and secure everything. 

Improperly coded extensions or unvetted integrations can introduce vulnerabilities. To avoid this, run security audits on custom code and follow NetSuite’s SuiteScript best practices. Also, use Content Security Policy (CSP) headers to restrict where scripts can be loaded from.

6. Monitor and Log Site Activity

You can log and monitor your SuiteCommerce site activity via NetSuite’s system logs. Take the time to review these logs regularly to detect unusual activity like failed login attempts or unexpected changes to your site’s content.

You can leverage external monitoring tools such as SiteLock, Sucuri, or Intruder, which can alert you if something suspicious is going on.

7. Proper Session and Cookie Policies

Ensure your session timeout settings are reasonable and that cookies are secured with the HttpOnly and Secure flags to prevent session hijacking. Use the SameSite attribute to reduce cross-site request forgery (CSRF) risks.

In Conclusion

As you can see, SuiteCommerce site security isn’t a one-time task, but more of an ongoing process. Yes, following these best practices and monitoring regularly will help you be less vulnerable, but working with a NetSuite expert is a steady way to keep your site optimized for growth. Contact us today to start working with our NetSuite Support team!