Routing and Policies - Content Delivery Network Control

Control Name

Salesforce Content Delivery Network for Experience Site

Recommended Configuration

Use Content Delivery Network (CDN) by default when enhanced domains are enabled for Experience Cloud sites.

Setup>Domains>Domain Edit>Serve the domain with the Salesforce Content Delivery Network (CDN).

Control Overview

For optimal performance and robust security for Salesforce Experience Cloud LWR sites, enable the Salesforce Content Delivery Network (CDN) using a Single Domain Certificate. This control uses global edge caching to minimize latency while simultaneously deploying an integrated Web Application Firewall (WAF) and rate-limiting to automatically detect and block malicious traffic, such as SQL injection, cross-site scripting, and DDoS attacks.

Security Risk If Not Configured

Failure to enable the Salesforce CDN leaves Experience Cloud LWR sites exposed to sophisticated application-layer attacks—such as SQL injection and cross-site scripting—and disruptive DDoS events that would otherwise be mitigated by the integrated WAF and rate-limiting. Additionally, the absence of global edge caching significantly increases latency and server load, risking performance degradation and site unavailability during peak traffic periods.

Threat Scenarios

A malicious actor launches a distributed denial-of-service (DDoS) attack against the company's Experience Cloud LWR site, which, lacking the rate-limiting and edge-caching protections of the Salesforce CDN, quickly becomes unresponsive to legitimate users. Without an active Web Application Firewall (WAF) to filter incoming requests, the attacker simultaneously exploits common web vulnerabilities like cross-site scripting (XSS) to hijack user sessions or inject malicious code, leading to data exfiltration and severe service disruption.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Depending on the type of data hosted on the experience site, and the intended user of the site.

Higher Risk When

Your LWR experience site is not configured with your own CDN that has no WAF functionality or not using CDN.

Low or No Risk When

Configure your LWR experience site to use your own CDN with WAF configuration.

Business and Integration Considerations

User locations are part of the consideration in enabling CDN and also the ability to monitor malicious traffic through WAF enabled with the CDN functionality.

Recommended Remediation

Enable Salesforce CDN or use your own CDN with controls to monitor traffic going to your site.

Security Health Review Guidance

Security Health Review identifies whether CDN has been configured to help customers optimize page load times and site performance with our content delivery network (CDN). Salesforce partners with a CDN provider to deliver efficiently publicly cacheable content to users on your Experience Cloud sites.

Web application firewall and rate-limiting security features are included for sites that use the Salesforce CDN with single domain certificates. These features improve security by filtering out bad traffic. Focusing on valid traffic improves your site’s performance for your customers.