Considerations for the Salesforce CDN

Recommended Option

The Salesforce CDN is the recommended configuration option for custom domains that serve Digital Experiences, including Experiences built with Experience Cloud, Commerce, and Industries licenses. If the Salesforce CDN option isn’t available, make sure that Digital Experiences is enabled for your org.

Note The Salesforce CDN is the content delivery network recommended for serving sites and stores. Go to Enable the Lightning CDN to Load Applications Faster enable the Lightning CDN for your Salesforce org.

The Salesforce CDN Partners

Salesforce uses a CDN partner service to optimize content delivery. All information that’s sent to or returned by a domain is stored and transmitted through our CDN.

Note The Salesforce CDN isn't recommended for sites in China or sites with Chinese users. We recommend using your own CDN with a local Chinese CDN provider. Please reach out to Salesforce Support for recommendations and work with your local CDN provider on the configuration, performance, and regulatory considerations of your site.

Supported Environments

In each production environment, you can define multiple sandbox custom domains.

Supported Domain Levels and Sites

When you use our CDN, Salesforce is unable to serve a registrable domain, such as example.com. The Salesforce CDN only serves subdomains, such as www.example.com or parts.example.com. If your site needs a registrable domain served from a CDN, host it on a CDN outside of Salesforce.

Likewise, the Salesforce CDN is available for custom domains that serve Experience Cloud site content. To use a CDN to serve content from your Salesforce Site, use a CDN outside of Salesforce. Commerce LWR sites can’t use a CDN outside of Salesforce.

Opt Out of the Salesforce CDN

Government Cloud Plus orgs can opt out of the Salesforce CDN for your system-managed *.my.site.com domain. To opt out, go to Setup, then in the Quick Find box, enter My Domain, and then select My Domain. Then in the Routing section, deselect Use Content Delivery Network (CDN) by default when enhanced domains are enabled for Experience Cloud sites.

You can also disable your site’s Experience Cloud content delivery network (CDN) on your own in sandbox orgs and see if there are any negative impacts before it’s disabled in your production org. To test how disabling the CDN for enhanced domains affects your org, from My Domain Settings of your sandbox org, deselect Use Content Delivery Network (CDN) by default when enhanced domains are enabled for Experience Cloud Sites.

Activation Timing

To minimize the impact to your users, activate the Salesforce CDN when your site traffic is low.

HTTP/2 Support

The Salesforce CDN supports HTTP/2 protocols. Experience Cloud sites served through our CDN support HTTP/2 for fast content delivery. Salesforce also provides a secure HTTPS site and certificates.

File Size Limit

If you choose to use the system-managed .my.site.com URL provided by Salesforce, you can upload files up to 128MB in size per file. If you create a custom domain, you can upload files up to 500MB in size per file.

URI Size Limit

The maximum URI size limit for our CDN is 16 kilobytes. If you must exceed this amount, disable the Salesforce CDN.

Provisioning a Domain for Salesforce CDN

Domain provisioning is the process of setting up and configuring a domain name on the internet. In other words, when Salesforce provisions your custom domain, we get it ready for use. Provisioning usually takes fewer than 12 hours, but it can take up to 24 hours to complete. After provisioning, activate your Salesforce domain to create or update the domain canonical name (CNAME). Activation across the internet can take up to 20 minutes.

Until you activate the domain, the domain uses its previous HTTPS configuration. If you add a domain to your org using our CDN, the initial configuration before activation is HTTP.

Provisioning a Domain for a Third-Party CDN

If you use your own CDN and add a domain and provision the CDN at the same time, visitors to your site can see a certificate error. The host name on the certificate doesn’t match the custom domain until you activate the domain. Activating the domain resolves the error message.

Until you activate the domain, the domain uses its previous HTTPS configuration.

Switching to the Salesforce CDN

When you change the HTTPS option on an existing domain to the Salesforce CDN, the provisioning process usually takes fewer than 12 hours, but it can take up to 24 hours. After you activate the domain, visitors to your site can see errors for up to 5 minutes:

• Connection reset errors, such as “The site doesn’t load.”
• DNS error messages like “Server DNS address couldn’t be found.”

Caching with the Salesforce CDN

Caching on our CDN improves your site’s performance and scale. When your users access a site served by the Salesforce CDN, cached content is served directly from CDN servers. CDN servers are distributed globally and are often closer to your users than Salesforce servers. Because cached content is served directly from CDN servers, your users experience faster load times routinely and in times of high traffic. CDN caching can work with browser-side caching, which also improves performance.

The Aura, LWR, and Visualforce frameworks for building Experience Cloud sites cache content on CDN slightly differently. But no matter which framework you use to build your site, consider caching only public content on our CDN.

Aura caches mostly static content, including Salesforce CMS content, images, javascript, CSS files, font files, and more. In comparison, Lightning Web Runtime (LWR) is built for performance and scale, and it caches more publicly available content in addition to static resources. In LWR, Salesforce caches base documents for a site’s pages, public data returned from Salesforce API calls, and public data from Apex methods used internally. Admins and developers can cache their Apex methods that return public data.

Single Versus Shared Server Certificates

We recommend single domain certificates over shared certificates. Shared certificates often include other customer host names in the subject alternative name list. The server certificate for shared certificates also changes frequently, which can cause issues for API clients that require the exact server certificate rather than the root certificate authority. Single certificates offer better security and a single branded experience for your site.

Shared certificates are no longer available for new sites using the Salesforce CDN. If you have an existing custom domain on a shared certificate, you can see a shared option while configuring our CDN. To switch from a shared certificate to a single certificate, on the Domain Edit page, select the Single certificate for content delivery network (CDN). There’s no downtime when you switch from a shared certificate to a single certificate.

Orgs that purchase Experience Cloud licenses and use a third-party CDN service get 10 Experience Cloud CDN single certificate domains and 48 terabytes (TB) of traffic per year. Orgs that host LWR Commerce sites or sites hosted on Experience Delivery and use our CDN partner get 5 branded certificates and no limit on traffic per year. If you haven’t purchased an Experience Cloud license, your org can provision 5 single certificate domains and get 5 TB of annual traffic. You can contact your account executive to increase the traffic allowances. To increase the number of certificates available per org, contact Salesforce Customer Support.

Security Services Included with the Salesforce CDN

Web application firewall and rate-limiting security features are included for sites that use the Salesforce CDN with single domain certificates. These features improve security by filtering out bad traffic. Focusing on valid traffic improves your site’s performance for your customers.

The web application firewall (WAF) catches and rejects attempts to compromise your system. For example, the firewall catches attempts to use SQL injection, command injection, and cross-site scripting. If someone attempts to put malicious content in your site, the firewall filters and rejects the request.

Rate limiting (RL) monitors and blocks abnormal increases in traffic. If the number of requests suddenly increases by a certain threshold, rate limiting blocks the requests. Rate limiting also blocks unusual increases in requests within a time period, for example, a week.

If you notice that your site isn’t performing as well or that valid requests are getting blocked, on the Edit Domain page, deselect the Use the Salesforce CDN’s enhanced security services checkbox.

Domain CNAME Changes

Your domain must use the same CNAME that shows on the Domains Setup page. Changing your CNAME after activating the Salesforce CDN with a shared certificate causes your domain traffic to go directly to your servers. It no longer passes through the CDN.

If you want to resume use of the Salesforce CDN after changing your CNAME, update your domain in Salesforce to the correct CNAME. After you update, provision the domain again with the CDN option.

Note Don’t change single certificate domains with the _acme-challenge CNAME if the single certificate is provisioning or has finished provisioning. If you update or delete the _acme-challenge CNAME before provisioning is complete, it can delay the provisioning process. If it’s updated after provisioning the domain, you can have issues when the certificate is due for renewal.

CDN Changes and Single Sign-On

Changing the Salesforce CDN affects SAML Single Sign-On Settings for all custom URLs in that domain. Reconfirm the SAML Single Sign-On Settings for each HTTPS custom URL in that domain after activating a change. Login Settings are available in Experience Workspaces | Administration | Login & Registration.

Data Privacy & Security

When you enable the Salesforce CDN, information sent to or returned by the domain is stored and transmitted by our CDN partner service. For Aura sites, cached content includes static content such as HTML pages, javascript and CSS files, images, and font files.

For LWR sites, cached content includes static content and other publicly cacheable content. Where appropriate, Salesforce caches public content from APIs and Apex methods in standard pages and components. Admins and developers can control caching of Apex methods that use @wire invocation in LWC for their guest users. Only Apex methods annotated with @AuraEnabled(cacheable=true scope=’global’) are cached. Caching public data from annotated Apex methods in managed packages is enabled by default. To disable this preference, go to Experience Workspaces | Administration | Preferences and deselect Cache public data from Apex methods in Managed Packages.

Our CDN partner manages privacy and security protections for data that is shared. All communications between our CDN partner and Salesforce are conducted over HTTPs.

Our CDN partner supports IPv6. If IP restrictions are configured in Salesforce with only IPv4 addresses, users can see an error when they access your site that ends in *.my.site.com via IPv6. To prevent that error, update your IP allowlists or restrictions to allow IPv6 source addresses for authorized users. In particular, review and update the login IP range restrictions for the relevant profiles, including the site’s guest user profile. For more information on setting IP restrictions for Salesforce, see Network Access, Session Settings, and Profile-based IP restrictions.

Image Optimization

The Salesforce CDN includes an image optimization feature that makes your site’s pages load faster for guest users, whether they’re viewing your site on their phone, tablet, or desktop computer. The image optimization setting is enabled by default for sites that use the Salesforce CDN. To disable this preference for orgs using our CDN, go to Setup. In the Quick Find box, enter Domains, and then select Domains. Select Edit CDN Settings next to the domain whose settings you want to edit. Toggle off Image Optimization.