Security
ShipCommerce is built with security as a core principle, not an afterthought.
Defense in Depth
Multiple layers of security ensure that even if one layer is compromised, others remain intact.
Security Features
CSRF Protection
Double-submit cookies with 24h token rotation
Rate Limiting
4 limiters + burst detection for DDoS protection
XSS Prevention
Whitelist sanitizer, forbidden tags, React auto-escaping
Audit Logging
Immutable logs with 16+ event types tracked
Security Headers
ShipCommerce sets 13 HTTP security headers:
| Header | Purpose |
|---|---|
| Strict-Transport-Security | Force HTTPS |
| X-Frame-Options | Prevent clickjacking |
| X-Content-Type-Options | Prevent MIME sniffing |
| Content-Security-Policy | Control resource loading |
| Referrer-Policy | Limit referrer info |
| Permissions-Policy | Disable browser features |
Database Security
- Row Level Security (RLS) — Users can only access their own data
- Parameterized Queries — SQL injection prevention via Supabase
- Encrypted at Rest — All data encrypted in database
- SSL/TLS — Encrypted connections
Payment Security
- Stripe Elements — Card data never touches your server
- PCI DSS Level 1 — Stripe handles compliance
- Webhook Signatures — All Stripe webhooks verified
Compliance
- GDPR Ready — Data export, right to deletion, consent management
- Cookie Policy — Essential cookies only by default
- Privacy Policy — Template included
Security Audit Value
Implementing this level of security from scratch would cost:
€5,000+
Already included in ShipCommerce