Domain Security for E-commerce Sites

## Why E-commerce Domains Face Elevated Risk Every domain faces potential security threats, but e-commerce domains are disproportionately targeted for two reasons: they process financial transactions, and they carry significant consumer trust. An attacker who hijacks an e-commerce domain can steal payment card data from thousands of customers in a single campaign. A convincing phishing copy of a popular store can harvest credentials at scale. The reputational and financial consequences of a domain security incident for an online retailer can be severe — both direct (fraud losses, remediation costs) and indirect (lost customer trust, regulatory liability under PCI-DSS, GDPR, and consumer protection law). This guide covers the domain-specific security measures that go beyond the baseline Domain Security Checklist and are particularly critical for e-commerce. ## Baseline Requirements (Non-Negotiable) If you operate an e-commerce site, these controls are mandatory starting points: **HTTPS everywhere**: Every page — not just checkout — must be served over HTTPS with a valid certificate. Modern browsers mark HTTP pages as "Not Secure," which will cause users to abandon your site. More importantly, HTTP leaves all traffic readable by any network intermediary. **HSTS with preloading**: Add the `Strict-Transport-Security` header with `includeSubDomains` and `preload`, then submit to the HSTS preload list. This forces browsers to connect over HTTPS before any request is made, eliminating downgrade attack windows. **CAA records**: Specify which Certificate Authorities can issue certificates for your domain. An attacker obtaining a fraudulent certificate from an unauthorized CA could impersonate your store. Restrict issuance to the CAs you use. **Domain Lock**: Enable registrar lock (`clientTransferProhibited`) at minimum, and strongly consider registry lock (Registry Lock: The Ultimate Domain Protection) for your primary e-commerce domain. A hijacked e-commerce domain is an immediate revenue crisis. ## Email Security for Transactional Email E-commerce businesses send significant email: order confirmations, shipping notifications, password resets, abandoned cart reminders. Attackers who spoof your sending domain can intercept customer trust at exactly the moments it matters most. Implement the full email authentication stack: SPF, DKIM, and DMARC at enforcement (`p=reject`). See Email Security: SPF, DKIM, and DMARC Explained for the implementation sequence. Do not stop at monitoring mode — enforcement is what actually blocks spoofed mail from reaching your customers. If you use a transactional email platform (SendGrid, Mailgun, Postmark, Amazon SES), ensure you have configured DKIM signing with their provided keys and added their authorized sending ranges to your SPF record. ## Subdomain Security E-commerce domains often have multiple subdomains: `www`, `checkout`, `api`, `cdn`, `admin`, `staging`. Each subdomain is an attack surface. **Audit all DNS records** and remove any that point to services you no longer use. Dangling DNS records — records pointing to cloud services (S3 buckets, Heroku dynos, GitHub Pages) that have been deleted — are vulnerable to subdomain takeover, where an attacker claims the now-unoccupied resource and serves content under your subdomain. **Apply HTTPS and HSTS to all subdomains** via `includeSubDomains`. **Never use `staging` or `dev` subdomains on production DNS without authentication**. These subdomains may have weaker security configurations. Use separate domains for non-production environments. ## Typosquat and Phishing Brand Protection E-commerce brands are frequent targets of Typosquatting and phishing. A fake `yourstore-secure.com` can run a convincing checkout page and steal card data from customers who click a phishing link. **Defensive domain registration**: Register the most common misspellings of your domain name across major TLDs and redirect them to your canonical domain. See Typosquatting Protection: Defending Your Brand for a systematic approach. **Certificate Transparency monitoring**: Set up CT log monitoring for certificate issuances to your domain name and common look-alike variants. When attackers build phishing infrastructure, they typically obtain SSL certificates — creating an early warning signal. **DMARC reporting**: Use DMARC aggregate reports to detect unauthorized use of your domain in email. Phishing campaigns often spoof your From: address; DMARC enforcement and reporting surfaces these attempts. ## Payment Card Security and DNS While PCI-DSS compliance is primarily a hosting and application concern, DNS security is directly relevant: **DNSSEC** prevents DNS cache poisoning attacks that could redirect your payment pages to attacker-controlled servers. Enable it on your domain. **Subresource Integrity (SRI)** — though not strictly DNS security — ensures that third-party scripts loaded on your payment pages (analytics, chat widgets) have not been tampered with. Combining DNS security with application-layer controls closes more of the attack surface. ## Monitoring for E-commerce Domains E-commerce domains warrant more aggressive monitoring than the baseline: - **Uptime and certificate monitoring**: Every minute your domain is unreachable costs revenue. Monitor from multiple locations. - **DNS change alerts**: Any unexpected nameserver or DNS record change is an incident. - **WHOIS change monitoring**: Watch for registrant or registrar changes. - **Look-alike domain monitoring**: New registrations that resemble your brand. See Domain Threat Monitoring for tooling and workflow recommendations. ## Incident Response Planning Despite all precautions, incidents happen. Have a documented plan before you need it. Know who to call at your registrar, hosting provider, and payment processor. Know how to quickly redirect traffic if your primary domain is compromised. Test the plan annually. The time to find gaps is during a drill, not during an active incident. See Domain Incident Response Playbook for a step-by-step playbook.