The importance of Origin Shielding and your Commerce Cloud instance

Today, we’re exploring the crucial role of Origin Shielding in Salesforce B2C Commerce Cloud. As online security becomes increasingly important (and always has been), we’ll look at what Origin Shielding (and Origin Locking) is. We will also share the steps involved in your projects. 

Let’s dive into the details!

What is "Origin Shielding"?

Origin shielding protects the origin server – in our case the Application Servers – by funneling all incoming traffic through an intermediate layer, or shield.

When someone tries to access content hosted on Salesforce, Mobify, or Demandware, the Embedded Content Delivery Network (eCDN) steps in. It intercepts the request, verifies its legitimacy, and only sends valid requests to the origin servers.

This process helps reduce the risk of direct attacks on the origin infrastructure and adds an extra layer of protection against unauthorised access. After all, Cloudflare does have a few things in it’s arsenal.

Long story short, origin shielding is a security measure for safeguarding cloud-hosted infrastructure, ensuring both the integrity and availability of Salesforce’s services.

A dramatic image of a superhero in front of a server, protecting it from a "bad" actor in the shadows.
Cloudflare is our "hero" protecting and routing traffic on our behalf!

The back-end and OCAPI

Origin shielding was implemented to manage access to the Demandware URLs of our storefronts and the OCAPI on the “Primary Instance Groups.” 

Although this change was communicated multiple times in advance, many projects still encountered unexpected disconnections from third-party services

With the introduction of Origin Shielding, any third-party system attempting to access controllers or OCAPI APIs through the Demandware URL received an error page.

A screenshot of the Cloudflare Origin Shielding error shows that the user has been blocked.
The Cloudflare error page.

SCAPI

The SCAPI has not changed much. It still operates on Cloudflare Edge Functions and manages all the complexities behind the scenes.
However, this setup means we have less control and are entirely dependent on Salesforce to ensure everything works smoothly.

Managed Runtime and Origin Locking

In the Composable Storefront, we gain more control because we handle all the operations ourselves. Fortunately, this process is fully documented on the help site!

An overprotective "hero"

The image I used before may seem a bit dramatic, but it highlights that we need to be vigilant with ourselves. The system doesn’t distinguish between good and bad actors, which can lead to inconveniences. 

We need the “know-how” to ensure our third-party systems can access everything we require.

What do I do?

To ensure that both you and any third-party systems do not encounter access issues due to Origin Shielding, just do a few simple things.

The steps below might seem simple and even like common sense. However, during the stress of going live and approaching deadlines, they can easily be overlooked.

1. Configure Vanity Domains

The first thing to do to prevent access interruptions is to configure a vanity domain for all your environments, including staging, development, and production.

A vanity domain serves as a friendly URL that is easier to remember and manage while also being recognised by Origin Shielding (and configured in the eCDN itself ).

Rather than having ‘https://production-eu01-mybrand.demandware.net‘, we can use a nicer domain such as ‘https://brand.com

2. Use the domains

The next step is pretty simple: Good communication. Make sure to inform all relevant parties to update their configurations to point to the vanity domains rather than the direct Demandware URLs.

Communicating this information to the right people will significantly reduce the likelihood of encountering error pages due to unauthorised access errors.

3. Test

Before launching, make sure to test everything thoroughly. Check that all third-party systems can access your storefront and API features through the vanity domain. This step will help you find and fix any issues before they affect your operations.

A cartoon depicting two people conversing with a chat bubble containing various colored emoticons.
Good communication is key in any project.

4. Monitor

Monitor your eCDN logs for any unusual activity or blocked requests. This will help you spot if any third-party systems are trying to access your resources, allowing you to take action quickly.

A digital picture of servers being protected by a force field.

Table of Contents

Facebook
Twitter
LinkedIn

Life is about choices

Have you ever wondered how some people seem to have it all together? How do they manage to balance work, family, and personal interests? I

Read More »