Magento Security Scan Official Report

doctor · May 1, 2019, 5:19am

Hello Craig,

Greetings.

I ran a security scan via official Magento tool(free) and got the following

Presently my site is running on Magento 2.3 vis a vis the latest version 2.3.1 , and I am running it on a droplet in Digital Ocean

The first error is API ACL, which is actually a patch released in 2016 and I did not have this error till 17th April , more ever clicking the link redirects me to the magento 2.0 release devdocs( mine is magento 2.3)

I do not understand the second point although I feel it may be a minor issue. If you would be kind enough to elaborate on that.

The third point looks relatively simple and I will do it by googling I think.
I request you for help regarding this if you can, I will be highly grateful.

Thanks in advance.

digitalstartup · May 1, 2019, 9:34am

Good morning,

I’ve never had the API ACL flag before. But I’ve only been working on versions of Magento from around 2.2. As you say, there must be a patch for that one.
The Magento /pub/ scan is really harsh. It’s the only one I fail on. However, it’s a really “hardcore/overkill” security practice. Personally, I don’t follow this one. If my opinion changes, I’ll let you know.
This one just requires you to tweak your Apache SSL Configuration. Amending the line below should fix that one (which says to accept all protocols except SSLv3, TLSv1 and TLSv1.1):

SSLProtocol  all -SSLv3 -TLSv1 -TLSv1.1

You’ll require an Apache restart for the changes to take effect. This website is a great reference for SSL Configuration: SSL Config Generator.