Magento Security Scan Official Report

Hello Craig,


I ran a security scan via official Magento tool(free) and got the following

Presently my site is running on Magento 2.3 vis a vis the latest version 2.3.1 , and I am running it on a droplet in Digital Ocean

The first error is API ACL, which is actually a patch released in 2016 and I did not have this error till 17th April , more ever clicking the link redirects me to the magento 2.0 release devdocs( mine is magento 2.3)

I do not understand the second point although I feel it may be a minor issue. If you would be kind enough to elaborate on that.

The third point looks relatively simple and I will do it by googling I think.
I request you for help regarding this if you can, I will be highly grateful.

Thanks in advance.

Good morning,

  • I’ve never had the API ACL flag before. But I’ve only been working on versions of Magento from around 2.2. As you say, there must be a patch for that one.
  • The Magento /pub/ scan is really harsh. It’s the only one I fail on. However, it’s a really “hardcore/overkill” security practice. Personally, I don’t follow this one. If my opinion changes, I’ll let you know.
  • This one just requires you to tweak your Apache SSL Configuration. Amending the line below should fix that one (which says to accept all protocols except SSLv3, TLSv1 and TLSv1.1):
SSLProtocol  all -SSLv3 -TLSv1 -TLSv1.1

You’ll require an Apache restart for the changes to take effect. This website is a great reference for SSL Configuration: SSL Config Generator.