I was recently asked how to achieve a folder protection via .htaccess/.htpasswd on Apache web server to make the Shopware admin panel more secure.
This is an absolutely valid request as this is good practice in other CMSses in order to prevent from brute force attacks, isn’t it.
However, it seems to be not necessary as I have learned shortly:
- Shopware doesn’t host all admin panel files in a folder called /admin like one might expect. Instead, there is only a so called SPA (single-page application) for the login. The real content goes to the API endpoints at /api.
Additionally, Shopware comes with the native Symfony rate limiter to prevent brute force attacks which can be configured like described here: https://developer.shopware.com/docs/guides/hosting/infrastructure/rate-limiter
Many thanks to my dear work mate @shyim who answered this request.