1 Topic by NuBlue-Paul
  • NuBlue-Paul
  • Hosting Team
  • Offline
  • From: Lancaster UK
  • Registered: 2009-06-02
  • Posts: 31

We had a customer on VPS who failed a PCI Compliance scan because the Magento login for downloader (http://yourstore/downloader) was not encrypted and so the password was being passed in plain text.

A quick look indicated that there are a few ways to fix this, the best we came up with was to incorporate two :

1) Limit access to the downloader directory by IP Address
2) Redirect all requests to the downloader directory to a secure SSL connection.

Appending the following code to the downloader/.htaccess file achieves this quickly and easily : 

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !ENTER_YOUR_IP_HERE
RewriteRule (.*) http://%{HTTP_HOST} [R=302,L]
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

You'll obviously need to add your IP at the "ENTER_YOUR_IP_HERE" point.  Make sure you don't delete the ! or you'll lock only yourself out of Magento Connect!

NuBlue-Paul's Website

2 Reply by simondw
  • simondw
  • I am new about town
  • Offline
  • Registered: 2011-05-27
  • Posts: 1

Thank you so much for posting this! I stumbled across it right before I went through a PCI scan and it worked like a charm!!

3 Reply by NuBlue-Martyn
  • NuBlue-Martyn
  • Administrator
  • Offline
  • Registered: 2010-09-10
  • Posts: 20

Hi simondw, thanks for the feedback, we're glad it worked out for you smile