Salesforce B2C Commerce
Posted: Mon May 26, 2025 3:30 am
Cloud comes with built-in Content Delivery Network (eCDN) with Web Application Firewall (WAF) and rate-limiting capabilities, where the store admin can activate the features themselves if needed. By configuring the sensitivity level, the built-in WAF can perform additional challenges in the form of CAPTCHA to ensure that the visitor is human. There are also other third party solution partners available from the B2C Marketplace like Perimeter-X and Datadome. Read about Bot Management here.
Some organizations might be concerned about negatively impacting the user experience when implementing strong password requirements and additional CAPTCHA challenges. While the use of these features can help close security gaps, they require the user to spend slightly more time in the login process. Nonetheless, the benefit of preventing malicious attacks is well worth it in the long run.
Follow the above steps to proactively secure your eCommerce platform ahead of peak shopping periods. Save your organization time, money, and energy. Happy analyzing!
Secure B2C Commerce storefront for shopping
Implement B2C Commerce Storefront security strategies that america phone number list safeguard shopper and storefront data, such as MFA, firewall, and bot mitigation. Find out more on Trailhead, Salesforce's free online learning platform.
Start trail
+1,200 points
Trail
Prepare your Salesforce B2C Commerce storefront for holiday shopping
Evaluate your site performance, scalability, and security in anticipation of the shopping season.
Monitoring traffic
Every security analyst should ask themselves the following questions when examining these types of security logs:
Is this amount of traffic considered normal when compared to your typical traffic metrics? Take this hypothetical scenario for example: Does it make sense for your organization to have daily traffic of 10,000 hits during peak hours, and for 10% of that traffic to result in CUSTOMER_NOT_FOUND?
Did the traffic come from the same source (IP addresses, same ASNs), or from a country that your store doesn’t deliver to?
Did the events come from web browser versions that are out of date or not typically used anymore?
For example, the user agent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) might have been a common user agent back in 2015 when Windows 7 was a common web browser, but is not commonly used in 2024.
If you determine that your log activity doesn’t align with typical patterns or expected activity, the next thing to look for are successful authentication attempts from suspicious sources. Many users tend to reuse the same username and password combinations for different sites, making their accounts vulnerable to threat actors who can test the leaked credentials against multiple sites to see if the same combination works. If you suspect a bad actor has gained access to a user account, the quickest containment step for the short term would be to initiate a password reset for that account. If you’re worried about having to perform the password resets one-by-one, the following two endpoints can be used via OCAPI to perform bulk password resets.
Some organizations might be concerned about negatively impacting the user experience when implementing strong password requirements and additional CAPTCHA challenges. While the use of these features can help close security gaps, they require the user to spend slightly more time in the login process. Nonetheless, the benefit of preventing malicious attacks is well worth it in the long run.
Follow the above steps to proactively secure your eCommerce platform ahead of peak shopping periods. Save your organization time, money, and energy. Happy analyzing!
Secure B2C Commerce storefront for shopping
Implement B2C Commerce Storefront security strategies that america phone number list safeguard shopper and storefront data, such as MFA, firewall, and bot mitigation. Find out more on Trailhead, Salesforce's free online learning platform.
Start trail
+1,200 points
Trail
Prepare your Salesforce B2C Commerce storefront for holiday shopping
Evaluate your site performance, scalability, and security in anticipation of the shopping season.
Monitoring traffic
Every security analyst should ask themselves the following questions when examining these types of security logs:
Is this amount of traffic considered normal when compared to your typical traffic metrics? Take this hypothetical scenario for example: Does it make sense for your organization to have daily traffic of 10,000 hits during peak hours, and for 10% of that traffic to result in CUSTOMER_NOT_FOUND?
Did the traffic come from the same source (IP addresses, same ASNs), or from a country that your store doesn’t deliver to?
Did the events come from web browser versions that are out of date or not typically used anymore?
For example, the user agent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) might have been a common user agent back in 2015 when Windows 7 was a common web browser, but is not commonly used in 2024.
If you determine that your log activity doesn’t align with typical patterns or expected activity, the next thing to look for are successful authentication attempts from suspicious sources. Many users tend to reuse the same username and password combinations for different sites, making their accounts vulnerable to threat actors who can test the leaked credentials against multiple sites to see if the same combination works. If you suspect a bad actor has gained access to a user account, the quickest containment step for the short term would be to initiate a password reset for that account. If you’re worried about having to perform the password resets one-by-one, the following two endpoints can be used via OCAPI to perform bulk password resets.