Solidus publishes a clear security policy and support window. Hardening should focus on running supported versions, RBAC for admin/API, and Rails dependency hygiene.
- follow Solidus supported-version matrix and EOL windows
- patch to latest supported branch immediately after security releases
- avoid custom forks without regular upstream security backports
¶ 2) Harden admin, API, and order token behavior
- restrict admin backend access and use strong auth controls
- scope API credentials/tokens to least privileges
- review guest/order token flows to prevent order information exposure
¶ 3) Secure Rails stack and data plane
- keep Ruby/Rails dependencies patched and audited
- isolate Postgres/Redis and background job infrastructure from public access
- encrypt backups containing customer/order/payment metadata
- Solidus security policy: https://guides.solidus.io/policies/security/
- Solidus project repository: https://github.com/solidusio/solidus
- Historical Solidus security incident write-up: https://solidus.io/blog/ransack-vulnerability
Any questions?
Feel free to contact us. Find all contact information on our contact page.