Configuration

Activating the OXID Security Module

Procedure

  1. Under Extensions ‣ Modules, choose the OXID Security module.

  2. On the Overview tab, choose the Activate button.

Result

The OXID Security Module is ready for use immediately after activation (Fig.: OXID Security module installed and activated).

OXID Security module installed and activated

Fig.: OXID Security module installed and activated

Configuring CAPTCHA Verification

Enable CAPTCHA verification to protect your forms from automated submissions.

CAPTCHA checks are integrated into the following forms:

  • Registration

  • Login

  • Newsletter subscription and unsubscription

  • Contact form

You have the following options:

  • Recommended: To prevent spam or bot abuse – especially if you’re currently experiencing or anticipating such activity, enable the image-based CAPTCHA verification (Fig.: Example: Image-based CAPTCHA verification in the contact form). This method is particularly robust and suitable for security-critical forms such as registration or newsletter sign-up.

  • If you want to detect bots discreetly without affecting the user experience with a visible CAPTCHA, enable the Honeypot CAPTCHA feature.

    In this case, an invisible input field is added to the form (Fig.: Testing the Honeypot CAPTCHA, item 1). Automated scripts that attempt to fill out all fields will typically enter data into this field as well. The submission is then blocked.

  • To improve defense-in-depth and reduce the chance of bot bypass with two layers of protection, enable the Honeypot CAPTCHA in addition to the image-based CAPTCHA verification.

    The honeypot can silently flag suspicious behavior even if the image CAPTCHA is solved correctly.

Procedure

  1. In the menu, go to Extensions ‣ Modules and select the module.

  2. Click the Settings tab.

  3. Go to CAPTCHA settings.

    Configuring CAPTCHA verification

    Fig.: Configuring CAPTCHA verification

  4. You have the following options:

    • Enable image-based CAPTCHA verification:

      1. Choose the Enable CAPTCHA Security checkbox.

      2. Optionally, define the CAPTCHA lifetime, i.e., how long the CAPTCHA image remains valid.

        Default value: 15 minutes.

        If the CAPTCHA expires, the form submission is rejected.

        Recommendation: Choose a value depending on the form type, expected fill-out time, and required security level:

        • Short lifetime (5 min): Suitable for highly security-sensitive forms (e.g., registration) to make replay attacks more difficult.

          This may cause issues for users who need more time (e.g., due to accessibility requirements or age-related limitations).

        • Longer lifetime (30 min): Better for forms with extended input time (e.g., contact forms with free-text fields).

          Reduces support requests due to fewer submission errors.

    • Enable invisible bot protection with no user interaction required:

      1. Choose the Enable Honeypot CAPTCHA checkbox.

      2. Carefully test the Honeypot CAPTCHA feature if your OXID eShop must strictly adhere to accessibility guidelines.

        Background: While a honeypot is generally unproblematic, incorrect markup can prevent the invisible field from being hidden properly.

        This can happen, for example, if CSS rules are incorrectly applied, potentially making the field visible or causing issues with screen readers.

  5. Save your settings.

Result

  • The image-based CAPTCHA verification (Fig.: Example: Image-based CAPTCHA verification in the contact form) reliably blocks automated submissions in security-critical forms.

    Bot-based submission attempts are rejected; the form remains accessible and operable for users with assistive needs.

    Example: Image-based CAPTCHA verification in contact form

    Fig.: Example: Image-based CAPTCHA verification in the contact form

  • If Honeypot CAPTCHA is enabled, an invisible field is inserted.

    In the contact form, for example, you find an invisible lastname_confirm field (Fig.: Testing the Honeypot CAPTCHA, item 1):

    <input type="text" name="lastname_confirm" class="d-none" value="" tabindex="-1" autocapitalize="off" spellcheck="false" autocorrect="off" autocomplete="off" />

    To test the function, do the following:

    1. Inspect the form’s HTML source and look for a hidden input field that should not be filled (class="d-none").

    2. Fill the field in the browser by removing the class="d-none styling or by editing the input value directly in the HTML (value="Doe", for example.

    3. Submit the form and verify it’s rejected and gives an error.

    Testing the Honeypot CAPTCHA

    Fig.: Testing the Honeypot CAPTCHA

Setting password policy

Specify the minimum password length and any additional requirements.

Procedure

  1. Under Extensions ‣ Modules, choose the module.

  2. Choose the Settings tab.

  3. Under Password Policy you have the following options (Fig.: Default settings for passwords):

    • Increase the default value of 8 characters as the minimum length for the password.

      If the value is less than the store default setting, the store setting takes precedence.

    • If required, deactivate the additional requirements for the composition of the password that are activated by default:

      • The password must contain at least one capital letter.

      • The password must contain at least one lowercase letter.

      • The password must contain at least one number.

      • The password must contain at least one special character.

    Default settings for passwords

    Fig.: Default settings for passwords

Result

When a customer registers, the security requirements are displayed (Fig.: Displaying the security requirements, item 1).

Displaying the security requirements

Fig.: Displaying the security requirements