Loading
Salesforce now sends email only from verified domains. Read More

B2C Commerce Demandware.net Origin Shielding - Phase 3

Publish Date: Dec 10, 2025
Description
At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data seriously. From April through August 2022, Commerce Cloud is changing access to demandware.net hostnames by creating customer-specific Content Delivery Network (CDN) zones and firewall rules to allow Business Manager and other legitimate traffic from only Commerce Cloud trusted sources. This change helps protect your environments and data from malicious activity such as distributed denial of service (DDoS) or bot attacks.
Resolution

What’s changing?
As of April 2022, Commerce Cloud will start blocking traffic that doesn’t originate from Commerce Cloud eCDN from accessing the hyphenated demandware.net hostname. This change rejects calls that use hyphenated hostnames production- or development- to access Open Commerce API (OCAPI) or Storefront.

Traffic through demandware.net doesn’t provide eCDN controls today. Take action to protect your data by ensuring that external traffic passes through the security layers of the eCDN before it accesses your environment.

How is my org affected?
This change affects Commerce Cloud customers who use production- or development- hostnames to access OCAPI or Storefront. Change these hyphenated hostnames to your vanity hostname to avoid any impact from the change. 

Implementations that use the Commerce Cloud eCDN or a stacked CDN configuration in front of the Commerce Cloud eCDN, for example, using a vanity hostname such as brand.com, www.brand.com, aren’t affected. If you access Business Manager via production-realm-customer.demandware.net, you aren’t affected because Business Manager is considered internal to the Commerce Cloud ecosystem.

When is the change happening?
The change is enforced in phases from April through August 2022. 

  • April 15: Change enforced for all newly created realms, for example, production and development instances. New Commerce Cloud customers and new realms reject all calls made to hostnames in the hyphenated format for demandware.net.
  • May 15: Change enforced for all existing development instances. All development instances reject calls for development instances made to hostnames in the hyphenated form for demandware.net.
  • August 15: Change enforced for all existing production instances. All production instances reject calls for production instances made to hostnames in the hyphenated form for demandware.net.


How can I prepare?
Please take the following actions:

  • Review current implementations for usage of any calls intentionally made for OCAPI or Storefront with hostnames in the hyphenated form for demandware.net -- for example, production-xxx.demandware.net
    • Note: You can continue to access Business Manager production-realm-customer.demandware.net because Business Manager is considered internal to the Commerce Cloud ecosystem.
  • Update the affected services or applications to use your vanity hostname, for example, brand.com, www.brand.com, and direct traffic through the eCDN.
  • If you don’t have a vanity hostname, create a custom domain for your OCAPI calls instead of targeting the production- or development- hostnames.
  • Follow the instructions to Configure the Embedded CDN to create a custom domain to use for the OCAPI calls. Please note that the instructions in the documentation linked above should be followed for Production and Development instances.
  • Deprecate non-Server Name Indication (SNI) traffic from any point-of-sale system, mobile app, or third-party CDN/Proxy. Work with your service providers to ensure they can use SNI for requests/API to eCDN.
  • After the rollout to your Development instance/s in May 2022, test to confirm whether any services or applications are affected, and then update them accordingly.


What steps do I take to deprecate non-SNI traffic?
Update your supported web browsers.

  • Modern browsers that are less than 6 years old support an extension to the SSL protocol called Server Name Indication (SNI), but older legacy browsers and web servers don’t support SNI.
  • The two largest legacy browsers that struggle with SNI are Internet Explorer on Windows XP (or older) and Android pre-Ice Cream Sandwich.

Review stacked Akamai configurations for non-SNI traffic going to a SFCC/Cloudflare root domain.

  • Akamai Origin Server Setting has an option to Enable SNI while making connections upstream. Most users don’t enable this option. To update an Akamai stacked setup, follow these steps to configure it to use SNI only.


Which specific services are still allowed to access the hyphenated demandware.net hostname?

  • Business Manager
  • Inventory Service
  • Analytics Service
  • Order Integration Service
  • Salesforce Commerce API (SCAPI) calls
  • Shopper Login (SLAS)
  • WebDAV calls
  • /dw/monitor calls for health checks
  • sfcc-ci tool (developer instance only)
  • Data APIs


Please note that not all Salesforce services will be included in these new firewall rules by Commerce Cloud.


Get Help
Direct questions about this change to the B2C Commerce Trailblazer Group. If you notice a critical impact to environments during enforcement, or if the new firewall rules are not working as expected, you can raise a case with Salesforce Support.

Knowledge Article Number

000391803

 
Loading
Salesforce Help | Article