Adding folder protection to Shopware admin

I was recently asked how to achieve a folder protection via .htaccess/.htpasswd on Apache web server to make the Shopware admin panel more secure.

This is an absolutely valid request as this is good practice in other CMSses in order to prevent from brute force attacks, isn’t it.

However, it seems to be not necessary as I have learned shortly:

  • Shopware doesn’t host all admin panel files in a folder called /admin like one might expect. Instead, there is only a so called SPA (single-page application) for the login. The real content goes to the API endpoints at /api.
  • This SPA provides a JavaScript form that cannot be filled by usual brute force attacks – and even if so, the API endpoint is not suffering from it.

Additionally, Shopware comes with the native Symfony rate limiter to prevent brute force attacks which can be configured like described here:

Many thanks to my dear work mate @shyim who answered this request.


Leave a Reply

Your email address will not be published. Required fields are marked *