| Scan Time | 2025-09-18 03:27:14 |
|---|---|
| Path Audited | /home/son/sites/magento |
| Rules Checked | Total: 10 | Passed: 0 | Failed: 10 |
| Findings Overview | Critical: 1 | High: 6 | Medium: 3 | Low: 0 | Total: 10 |
| Score (Rules Passed %) |
0 / 10 (0%)
|
| ID | Control | Severity | Status | Title |
|---|---|---|---|---|
| MB-R006 | MB-C02 | high | FAIL | Admin path is still '/admin'. Change env.php backend.frontName to a non-guessable value and update web server rules. |
| MB-R007 | MB-C02 | critical | FAIL | Two-Factor Authentication is disabled or missing. Enable Magento_TwoFactorAuth and enforce 2FA for all admin users. |
| MB-R008 | MB-C02 | high | FAIL | Admin password/security policy is not configured. Define complexity, history, lockout, and rotation settings under admin/security. |
| MB-R009 | MB-C02 | medium | FAIL | Admin session lifetime exceeds 900 seconds. Reduce session.lifetime to ≤ 900 for better security. |
| MB-R010 | MB-C02 | medium | FAIL | Admin URL is exposed (default path and no network ACLs). Change backend.frontName and/or restrict access via web server allow/deny. |
| MB-R015 | MB-C03 | high | FAIL | Forms without form_key detected. Add CSRF token for protection. |
| MB-R026 | MB-C04 | high | FAIL | HTTPS is not enforced in admin or storefront. Enable secure URLs in env.php. |
| MB-R030 | MB-C04 | high | FAIL | Cookies lack Secure or HttpOnly flags. Enable them to protect against theft and XSS. |
| MB-R033 | MB-C05 | medium | FAIL | PHP display_errors is On. Set display_errors=Off and log errors to files instead. |
| MB-R040 | MB-C06 | high | FAIL | Session storage is not hardened. Use Redis with a password for secure sessions. |
This report was generated using Magebean CLI, based on the Magebean Security Baseline v1. Findings are provided for informational and audit purposes only.