Creating a secure storefront is one of the most important factors in building trust with your shoppers. The security settings in the control panel allow you to control various aspects of your store such as shopper password complexity, inactivity thresholds, reCAPTCHA, and advanced security policies.

 
 

Requirements

  • To manage security and privacy settings, you must have the Manage Settings permission enabled on your user account.
  • To manage storefront specific settings, you must have the Manage Channels permission enabled.
 
 

Security and Privacy Settings

Security settings can be accessed by going to SettingsSecurity & Privacy.

 

Shopper Password Complexity

Configure complexity of the shoppers password allows you to specify the requirements for passwords on storefront accounts.

Password complexity settings.

A minimum of seven characters is required when changing minimum password length. The following special characters are allowed for password creation: ! ' " # $ % & \ ( ) * + , . / : ; < > = ? @ [ ] \ ^ - _ ` { } | ~. Spaces are also allowed.

 

Pro Tip! Existing customer passwords will not be forced to conform to current, stricter requirements until they next update their passwords. As a best security practice, we recommend forcing customers to reset their password on their next login.

 

Inactive Shopper Logout

The Inactive shopper logout setting allows you to control when your shoppers will be automatically logged out of their storefront account. You can use the default seven days, or you can set a custom duration.

You can allow storefront activity to extend the inactive logout time with the Shopper activity extends logout duration setting. When this setting is enabled, activity on the storefront, such as clicking on a product, restarts the Inactive shopper logout timer.

Inactive shopper logout settings.

 

Control Panel Timeout

For security purposes, users are automatically logged out of the control panel if they are inactive for a specified amount of time. The Control Panel Inactivity Timeout setting can be configured from 20 minutes to a maximum of two hours. As it is a security feature, the inactivity timeout cannot be disabled.

Control panel inactivity timeout setting.

Five minutes before automatically logging you out, a pop-up warning with a countdown timer will appear in the control panel. To keep working, you can click the Dismiss button or perform an action in the control panel during the countdown.

Control panel inactivity warning pop-up window.

Actions such as clicking to edit a product, navigating the control panel, and saving changes are recognized as activity. Simply typing in a field, in and of itself, is not recognized as activity. To prevent losing your work by being automatically logged out, we recommend saving your progress periodically.

 

Storefront reCAPTCHA

Check the box next to Enable reCAPTCHA on storefront to help prevent bot spam submissions of contact forms, product reviews, account sign-up forms, and customer account password reset requests.

When enabled, a reCAPTCHA will prompt shoppers to check a box before they can submit a storefront form.

Storefront reCAPTCHA challenge.

 

Note: The reCAPTCHA settings in Security & Privacy do not enable reCAPTCHA for the checkout page. If you would like to enable reCAPTCHA for checkout, see General Checkout Settings.

If you would like to see reCAPTCHA data in Google Admin Console, create a reCAPTCHA API key pair and enter it into the reCAPTCHA Site Key and reCAPTCHA Secret Key fields. If these optional keys are not specified, the default BigCommerce reCAPTCHA keys will be used instead.

reCAPTCHA storefront settings.

If your store has not launched yet, you can add a reCAPTCHA prompt to your store preview landing page by checking the box next to Enable reCAPTCHA on a storefront pre-launch login page.

Pre-launch landing page reCAPTCHA setting.

 

Failed Login Lockout

The Failed Login Lockout setting allows you to set the number of seconds a customer is locked out of their storefront account after failed login attempts. The maximum lockout time allowed is 3600 seconds (one hour).

Failed customer account login lockout setting.

If a visitor enters an incorrect password for a customer account four times, a banner will appear informing them of the lockout period.

Storefront lockout banner.

 

Your Customers' Privacy

The settings under Your customer’s privacy can help you comply with local privacy laws such as GDPR and CCPA by giving shoppers the ability to opt out of certain cookie and script categories.

 

Localized Store Experiences: This cookie consent tracking banner can be displayed in any of our supported languages. For more information on the default language store setting, see Store Profile Settings.

Customer privacy settings.

  • Cookie consent tracking — displays a banner on your storefront, prompting shoppers for their consent to use cookies and other similar technologies while visiting your storefront.
  • Privacy Policy URL — Enter your fully qualified privacy policy URL (for example, https://mystore.com/privacy). This can be linked in your store’s navigation and at checkout.
  • Analytics for my business — When enabled, we track your customers’ behaviors for your Ecommerce Analytics reports.
 

Did you know? If Analytics for my business is disabled, you will not receive Ecommerce Analytics reports for your store. Turning it on will not recover the missed data.

If you have more than one storefront, you can manage the cookie consent banner and privacy policy URL individually per storefront.

Go to Channel Manager and click Edit storefront settings for your storefront, then click Customers’ privacy. Uncheck the box next to Use global and adjust your desired settings.

Use global checkbox highlighted in Multi-storefront Customer's privacy settings.

 
 

Advanced Security Settings

The settings in the Storefront section allow you to configure advanced security policies for your storefront. These advanced options are HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and X-Frame-Options. These settings can improve the security of your storefront by adding additional layers of protection.

 

HTTP Strict Transport Security (HSTS)

 

Review your storefront before enabling HSTS. Changing these settings can have severe consequences for your storefront if done incorrectly. Ensure that there is no HTTP content on your storefront, such as image assets. This includes any listed subdomains as well, such as blog.domain.com.

HSTS tells browsers that they should only interact with your store using HTTPS connections and never via the insecure HTTP protocol. When enabled, you can choose to apply HSTS to your subdomains and specify the max-age for the HSTS headers.

HSTS settings.

The max-age is the time during which web browsers can cache the HSTS headers, allowing HTTPS only communication. You can set the duration to five minutes or one year, or disable HSTS entirely by setting it to zero (not recommended). To ensure that your storefront does not have any issues with HTTP content, we recommend setting it to five minutes for testing purposes before enabling HSTS for one year.

As enabling Apply Preload requires the max-age to be set to 12 months and to include subdomains, it is extremely important that your entire site and all of your subdomains (such as blog.store.com or mail.store.com) are ready to be served exclusively over HTTPS.

 

Pages loaded over HTTP will fail until the max-age has expired! If you have set the max-age for one year, any page that fails will be inaccessible until the cache expires after a year. Lowering the max-age or disabling it will not affect pages already cached.

 

Content Security Policy (CSP)

CSP helps to detect and prevent certain types of attacks such as cross-site scripting (XSS), clickjacking, and other data injection attacks.

Use the default CSP header or select Specify my own CSP header to enter your custom policy. The Content Security Policy Header Value field allows a maximum of 1,000 characters.

Content security policy header value setting.

See MDN's Content Security Policy (CSP) for more information, common use cases, and how to write a policy.

 

X-Frame Options

The X-Frame-Options header is used to avoid click-jacking attacks by indicating whether or not a browser should be allowed to render a page in a frame, iframe, embed, or object HTML element. If enabled, the following options are available:

X-frame-Options header settings.

  • Deny — The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • Same Origin — The page can only be displayed in a frame on the same origin as the page itself.
  • Allow from url — The page can only be displayed in a frame on the specified origin.

For more information, see MDN's X-Frame-Options.

 
 

FAQ

If I change the Inactive shopper logout duration while customers are on the storefront, will they be logged out of their accounts?

No. Customers will remain logged into their accounts on the storefront. The logout timer starts after the customer’s last activity on your store. For example, if you have set a 24 hour duration, that 24 hour period will start with the customer’s last activity.

When my customer is automatically logged out, will they lose the content of their carts?

No. Customer carts are independent of the Inactive shopper logout setting. Carts expire automatically after seven days.

Stores on Plus, Pro, or Enterprise plans can enable Persistent Cart, allowing customers logged into their storefront account to access their cart from any device and browser for 30 days.

Where can I find more information about security in BigCommerce?

The Platform Trust Center provides comprehensive information about BigCommerce platform security, including statements of compliance, policy links, and a feed for security updates.