CartThrob was built from the ground up for security. The following article outlines the security measures used in CartThrob and additional security measures that you can take to strengthen security for your store.

Table of Contents

Default Security Measures

By default CartThrob uses some very strong security measures to protect you and your customer's data, piggybacking off of ExpressionEngine's security systems, and incorporating some of its own as well.

Encryption Keys

During installation CartThrob requires that you set an encryption key. All data stored by carthrob will then be encrypted using that key. CartThrob uses CodeIgniter's encryption class to handle 2-way encryption. For more about that, read the article here

Database Cart Storage

All cart data is stored in the database by default rather than in session. All data stored in the database is encrypted.

Data Fingerprinting

CartThrob stores all data in the database, but the browser contains a cookie keyed to that stored cart data. By default CartThrob uses session fingerprinting to tie the user's browser to the cart data. One of several fingerprinting methods can be used based on your server requirements and real world testing. Fingerprinting essentially matches several browser attributes, in addition to the encrypted user cookie to allow access to a stored cart.

Cart Expiration

Carts stored in the database can be set to expire slowly, quickly, or not at all, or manually using CRON. This limits the amount of storage space required and duration of temporary cart data.


Captcha can be required for guest checkouts

Empty Cart Checkout

Carts can be set to disallow checking out with an empty cart

Form Parameters are encrypted

Most form parameters are encrypted. If, for instance, you set the "price" form parameter in the checkout form, the value that you set is encrypted, along with other parameters like weight, shipping, tax. Unless a parameter is a low security risk (like the return URL or the css class or css id) the data you submit in the parameter is encrypted.

Guest Checkouts

Guests can be allowed to checkout, or checkout can be restricted to logged in members only. For guests, submitted orders are stored under the member ID of your choosing.

Registration during checkout

If a guest registers during checkout, their order is assigned to the newly created member. If that order fails, the order is not assigned to the new member, and is instead assigned to the default member used for guest checkouts, and the newly created member is removed before the customer can login with the new account.

EE Channel Administration settings are used for orders

By default orders are stored in channel entries. Access to these channel entries is protected like any ExpressionEngine content, and by default can only be accessed in EE's backend by administrative members with channel access. You can further restric access to this channel data as needed using EE's standard member groups permissions settings.

XSS Cleaning

All form data is run through EE's standard cross-site-scripting (xss) filters to ensure it's integrity.

Credit Card data is not stored

At no point in the process is any data directly linked to credit cards stored to the session, or in permanent storage. Neither the credit_card_number, or CVV2 (the number on the back of the card), are stored at any point. If credit card data is captured it is only in the system long enough to send it on to the payment processor and then discarded. Expiration dates and the "last four" credit card numbers can be saved for reference, but key number data is not stored.

Forms are processed in secure mode

By default, all CartThrob forms process data in "secure mode" using EE's built in systems. Each form includes a random hash that is used to reduce form spamming. Generally this is a low necessity security system, mostly reducing the annoyance of form spamming. If you send the same form many times via ajax, you will need to turn off this setting, or reload the form each time it's sent via ajax to generate a new secure hash.

Offsite payment gateway security

Many offsite payment gateways callback to the system to announce the completion or failure of a payment. Where possible available security methods are used in conjunction with the gateway to ensure data integrity, reduce the injection of fake orders, and reduce the possibility of false approval of orders. When possible hash checking is implemented to make sure that data being sent from the gateway is legitimate. Not all offsite payment gateway offer this option, so we suggest removing any gateways that you aren't actively using. See Additional Security Measures below.

Additional Security Measures

Remove Extload.php

CartThrob includes a file called extload.php. It can be found in the themes/third_party/cartthrob/lib/extload.php. It's intended to be used by payment gateways that handle payments offsite. Unless you use a gateway that mentions this file in its documentation it's recommended to remove it.

Remove all unused gateways

Delete any unused gateway files, EXCEPT FOR "Cartthrob_payment_gateway.php" which is referenced by all other gateways in use. You can find these files in system » expressionengine » third_party » cartthrob » payment_gateways. Remove any gateway file that you are not actively using. Gateways can always be added back at a later time.

Turn off gateway selection

In CartThrob settings » payments » Payment Security Settings » Security Options you'll find the setting Allow Gateway Selection in Checkout Form? Set this to "no" if you are only using one payment gateway. If you use more than the default gateway, leave this set to "yes", and limit your available gateways.

Limit available gateways

If you want the customer to be able to select gateways, you should limit the gateways that they have to choose from. In CartThrob settings » payments » Payment Security Settings » Security Options you'll find a setting: When gateway selection is allowed, selection is limited to checked gateways. Check only gateways that the user should be able to use.

Use the gateway_select tag

To allow the customer to choose a gateway in the checkout_form, use the gateway_select tag which will encrypt the selected gateway option value by default.

Protect the price field

Do not set price values using input fields. Though it's possible to set the price using an input field like so:

<input type="hidden" value="10.00" name="price" /> 

Setting the price in a text or hidden field makes it easy for any user with a little bit of skill to manipulate an item's price, or the price of the entire cart. Use this sparingly, it's primary use is for allowing users to set the price of donations.


Install and use an SSL certificate. An SSL certificate makes it possible to use HTTPS connections, encrypted web connections that protect your customer's data. If you install an SSL certificate, you must then use it be securing web pages and CartThrob forms.

Secure Web Pages

Secure web pages by using an https connection. Link to any page using Once you link to your page securely, you'll also need to make sure that all embedded files are embedded with https:// connections as well, including:

  • CSS
  • Images
  • Javascript
  • Favicos
  • Offsite javascript (like Google Analytics)

If you use an https link to a page that has files that use an insecure connection, some browsers will fail to continue loading the page, or will make a security alert to the visitor. If your page is secure, you will see a lock icon in your browser when you visit the page.

One of the easiest methods to test for embedded content that is insecure is to use Safari's activity monitor when a web page loads. Safari's activity monitor lists all files loaded for each site. You can quickly see if a file is loaded using http or https connections.

Use Secure_action parameter in forms

In any CartThrob form, you can set secure_action="yes" to make the form submit securely using an HTTPS connection. You must have an SSL certificate installed to use secure forms. If you are using a direct payment gateway, all direct gateways require that you use a secure connection.