Saleor is API-first and GraphQL-only, so security posture depends on token scoping, permission boundaries, and rapid upgrades after advisory disclosures.
- review staff permissions and app scopes for every integration
- disable or restrict public order/customer queries not required by storefront
- audit GraphQL queries/mutations exposed to unauthenticated clients
¶ 2) Track Saleor advisories and patch quickly
- monitor GitHub security advisories and release notes for Saleor
- prioritize patching for information-disclosure, XSS, and IDOR class vulnerabilities
- keep staging environment aligned to test API behavior after upgrades
¶ 3) Harden auth and API infrastructure
- rotate app tokens and webhook secrets regularly
- enforce HTTPS, CORS allowlists, and reverse-proxy rate limiting on GraphQL API
- isolate Postgres/Redis and encrypt backups containing customer and order data
- Saleor source and security policy: https://github.com/saleor/saleor/security
- Saleor project repository: https://github.com/saleor/saleor
- Saleor docs: https://docs.saleor.io/
Any questions?
Feel free to contact us. Find all contact information on our contact page.