Loading

B2C Commerce Demandware.net Origin Shielding - Phase 4

Publiceringsdatum: Dec 10, 2025
Beskrivning

At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data seriously. In October 2024, Commerce Cloud is changing access to demandware.net hostnames for Staging instances by creating customer-specific Content Delivery Network (CDN) zones and firewall rules to allow Business Manager and other legitimate traffic from only Commerce Cloud trusted sources. This change helps protect your environments and data from malicious activity such as distributed denial of service (DDoS) or bot attacks. 

Lösning

What’s changing?
As of October 2024, Commerce Cloud will start blocking traffic that doesn’t originate from Commerce Cloud eCDN from accessing the dotted or hyphenated demandware.net hostnames for Staging instances. This change rejects calls made with direct IP to SFCC PODs or hostnames in the ‘dot’ form i.e. staging.* or 'hyphenated' form i.e. staging-* to access Open Commerce API (OCAPI) or Storefront.

How is my org affected?
This change affects Commerce Cloud customers who use the staging- or staging. hostnames to access OCAPI or Storefront. Change these dotted and/or hyphenated hostnames to a vanity hostname to avoid any impact from the change. 

Implementations that use the Commerce Cloud eCDN or a stacked CDN configuration in front of the Commerce Cloud eCDN, for example, using a vanity hostname such as brand.comwww.brand.com, aren’t affected. If you access Business Manager via staging-realm-customer.demandware.net, you aren’t affected because Business Manager is considered internal to the Commerce Cloud B2C ecosystem.

When is the change happening?
The change is enforced on October 7th 2024 where the change will be enforced for all existing staging instances. At that point, all staging instances will reject calls for staging instances made to hostnames in the dotted or hyphenated form for demandware.net.


How can I prepare?
Please take the following actions:

  • Review current implementations for usage of any calls intentionally made for OCAPI or Storefront using direct POD IPs, dot-form hostnames, or hyphenated hostnames for demandware.net -- for example, staging.xxx.demandware.net or staging-xxx.demandware.net
    • Note: You can continue to access Business Manager staging-realm-customer.demandware.net because Business Manager is considered internal to the Commerce Cloud ecosystem.
  • Update the affected services or applications to use your vanity hostname, for example, brand.com, www.brand.com, and direct traffic through the eCDN.
  • If you don’t have a vanity hostname, create a custom domain for your OCAPI calls instead of targeting the production- or development- hostnames.
  • Follow the instructions to Configure the Embedded CDN to create a custom domain to use for the OCAPI calls.
  • Deprecate non-Server Name Indication (SNI) traffic from any point-of-sale system, mobile app, or third-party CDN/Proxy. Work with your service providers to ensure they can use SNI for requests/API to eCDN.
  • After the rollout to the Staging instance, test to confirm whether any services or applications are affected, and then update them accordingly.


What steps do I take to deprecate non-SNI traffic?
Update your supported web browsers.

  • Modern browsers that are less than 6 years old support an extension to the SSL protocol called Server Name Indication (SNI), but older legacy browsers and web servers don’t support SNI.
  • The two largest legacy browsers that struggle with SNI are Internet Explorer on Windows XP (or older) and Android pre-Ice Cream Sandwich.

Review stacked Akamai configurations for non-SNI traffic going to a SFCC/Cloudflare root domain.

  • Akamai Origin Server Setting has an option to Enable SNI while making connections upstream. Most users don’t enable this option. To update an Akamai stacked setup, follow these steps to configure it to use SNI only.


Which specific services are still allowed to access the hyphenated demandware.net hostname?

  • Business Manager
  • Inventory Service
  • Analytics Service
  • Order Integration Service
  • Salesforce Commerce API (SCAPI) calls
  • Shopper Login (SLAS)
  • WebDAV calls
  • /dw/monitor calls for health checks
  • sfcc-ci tool (developer & staging instances)
  • Data APIs


Please note that not all Salesforce services will be included in these new firewall rules by Commerce Cloud.


Get Help
Direct questions about this change to the B2C Commerce Trailblazer Group. If you notice a critical impact to environments during enforcement, or if the new firewall rules are not working as expected, you can raise a case with Commerce Cloud Support

Knowledge-artikelnummer

002628746

 
Laddar
Salesforce Help | Article