Security

Under attack?

Use the following configuration to disable all Kirby Kart plugin API endpoints. This will ensure that your website remains online. However, the Kirby Kart plugin will not perform functions like logging in, generating magic links, adding products to the cart, or initiating or completing checkouts.

site/config/config.php
<?php

return [
    'under-attack' => true,
    // other options
];

Payments

Since the heavy lifting of handling the payments is 100% under the Provider's control and happening on their webservers, there are no real concerns to be found here.

HTTPS / SSL

Having said that, your production server should be secured with an SSL certificate, and all traffic and assets should be served over HTTPS.

Server Config

While Kirby provides you with a basic .htaccess file, I would recommend adding a few more rules to improve the security and performance of both Apache and Nginx.

Secrets via .env File

Make sure your server is configured to not serve dotfiles like the .env file where the API credentials of your prodvider will be stored. Never place sensitive files like .env in your web root – consider using a custom folder setup and push the index.php into public/index.php.

Content Security Policy Headers (CSP)

I highly recommend setting up a tight CSP for them, whether you intend to include scripts, images or iframes from external sources. Only allow what you need and block everything else. My security headers plugin comes with sensible defaults and some tips on how to get started defining rules.

Last but not least, debug = false

The official Kirby CMS docs have a worthwhile guide on how to make your Kirby installation even more secure. Be sure to check it out.

One topic is deactivating the debug mode. I achieve this by explicitly turning it off globally and only turning it on for local development.

site/config/config.php
<?php

return [
    'debug' => false,
    'session' => ['cookieName' => 'session'],
    'yaml.handler' => 'symfony', // future-proof
    // other options
];
site/config/config.example.test.php
<?php

return [
    'cache' => ['pages' => ['active' => false]],
    'content' => ['locking' => false],
    'debug' => true,
    'editor' => 'vscode',
    // other options
];
site/config/config.www.example.com.php
<?php

return [
    // 'cache' => ['pages' => ['active' => true]], // depends
    'debug' => false, // double-tap to be sure
    'panel' => ['install' => false], // double-tap to be sure
    'url' => 'https://www.example.com', // enforce https and www
    // other options
];
Data stored in the CMS
Resources
Legal
Support
Services
Kirby Kart is not affiliated with the developers of Kirby CMS. We are merely standing on the shoulder of giants.
© 2025 Bruno Meilick All rights reserved.