You are here:
Enhance Order Access Security with the Allow List
Enable the Allowlist feature on the Limit Storefront Order Access setting if you aren’t yet limiting Storefront Order Access at all. This feature enhances security, ensuring that the customer ID of the current session is identical with the customer ID used for the creation of the order being accessed.
When: Starting with the B2C Commerce 24.5 release, the allowlist is available to test your storefront order access settings in Production. During this phase, storefront order access by controllers or hooks that aren’t on the allowlist isn't blocked. Controllers and hooks that access orders but aren’t included on the allowlist are posted in the alert section of the Business Manager.
How: In . Set the Limit Storefront Order Access dropdown to Allowlist. Enter the allowed storefront controllers as a comma-separated list. You can copy and paste them directly from the Business Manager alert. The alert highlights storefront order access after the feature is enabled.
Beginning with the B2C Commerce 24.8 release, the allowlist is functional. Attempts to fetch order information are blocked from storefront access, if the customer ID of the current session isn’t identical to the customer ID used for the creation of the order. Controllers and hooks not listed on the allowlist are blocked from storefront order access. If you don't change the Limit Storefront Order Access setting to Allowlist, you won’t experience any change from this feature.
