CartIt Advanced Spoof Prevention

This new dialog allows you to enhance the Web Site security by letting you set the Web pages that are allowed to add items to CartIt. This is designed to help prevent users from spoofing CartIt prices on the Web Site but is not foolproof. In fact, some popular Anti-Virus "desktop security" systems will block your HTTP referrer which is sent from your browser (the only browser we know were your can NOT block 'referer' is Safari). If a user or desktop security package DOES block referrers, the shopper will get a page from CartIt indicating the shopper violated the cart security. There is a workaround to this (UNcheck Reject Null Referrers), but when it is used, anyone can post a cartit form to your site (this feature was created by design- it is not a security flaw). Either way, it is trivial today to "spoof" a HTTP referer- so you should always verify your pricing and items on each order. If you're too big a company to do this, perhaps you should not consider the current version of CartIt for your site.

Note: This has nothing to do with the checkout sequence; this applies only to the actual adding of items to the CartIt Shopping Cart.

Referring URL Expression:

This IS NOT a standard URL; this is a PERL code regular expression. Next to the Input box you can click the "Click Here for Suggested Expression" text and this will recommend code to use on your site based on your licensed domain name.

Example Code:


^https?://([a-zA-Z0-9\-\.]*\.)?yoursite\.com/ <- if your CommerceBuddy license key does not match your domain, you may need to change the "yoursite" to match your site and .com to match your extension


This code will allow Web pages on your licensed Web Site to add items to CartIt. This is the default regular expression and is recommended for all users.


Reject NULL Referrers (Recommended)
This option will reject add items if the Web Browser sends a NULL referrer. This happens usually when someone adds an item to CartIt from a saved file on their local hard drive. It can also happen when using other dynamic technology such as JavaScript and Flash.

Reject GET Requests
This option will reject add items that come from a GET request.
If your Web Site ALWAYS uses POST requests (most forms use POST) for adding items to CartIt, then check this box.

Reject POST Requests
This option will reject add items that come from a POST request. It is not recommended that you check this box unless your CartIt Commerce Developer has instructed you to.


Testing Your Security Options
You should thoroughly test your site. The best way to test your security options is to publish your options with CommerceBuddy, then go to your Web Site and attempt to add items to the cart. If you attempt to add an item to CartIt, but the item does not get added to the cart and you are sure that the page was designed correctly, then it may be caused by these settings rejecting the request.