Bot Management
Successful bot protection and management for Salesforce B2C Commerce storefronts is a shared responsibility between Salesforce and our customers. These frequently asked questions cover key topics related to our product offering, bot management strategies, and implementation best practices, helping to ensure we gain a common understanding of our shared responsibility.
What is the Salesforce B2C Commerce approach to bot management?
Bot protection efforts by B2C Commerce are focused primarily on maintaining the availability, stability, and performance of our multi-tenant commerce platform. When gaps are identified or issues arise related to bot management, we promptly take action to maintain the availability of the platform.
B2C Commerce offers tools and extensibility within the platform to protect customer origins, and customers own the monitoring and tuning of the controls to protect against bots on a continuous basis. Our approach is to provide customers with configurable options to protect their origins from bots by using our embedded Content Delivery Network (eCDN). This solution gives customers the extensibility to stack another CDN, or use a third-party bot management solution that provides fine-grained control for identifying and controlling bots, according to their unique needs.
Why doesn’t Salesforce B2C Commerce provide a bot protection solution out-of-the-box?
When it comes to bot detection and subsequent action, each customer’s business strategy, CDN setup, and sales pattern is unique. A bot protection solution that is too strict or falsely recognizes bots as malicious might work for one customer but could be disruptive for another customer. Therefore, we refrain from identifying which bots are good or bad, and we don’t determine whether certain traffic is allowed to make purchases on our commerce platform.
At Commerce Cloud, our approach is to provide customers the configurability to protect their origins against bots via our embedded CDN. Customers also have the extensibility to stack another CDN or use a third-party bot management solution of their choice.
Can I choose a bot management strategy that allows sales to both human shoppers and bots?
B2C Commerce doesn’t identify bots as good or bad, nor do we suggest whether certain traffic is allowed to make purchases on our commerce platform. Our customers have the flexibility to adopt the bot management strategy that aligns with their business needs.
However, regardless of the bot management strategy, we recommend certain best practices so that bots don’t overwhelm customer origins and our multi-tenant platform. These best practices include regulating the flow of traffic to a customer storefront by following Traffic Management Best Practices, conducting load tests to understand the constraints of the storefront, and configuring rate limits and firewall rules to block unwanted traffic.
For more information about steps that you can take to ensure a successful flash sale, see Bot Mitigation Best Practices for Flash Sales and Launching a Successful Flash Sale.
When should I consider a third-party bot management solution?
Many factors determine whether a third-party bot management solution is warranted. If a sale event meets the following criteria, consider using a third-party solution.
- Crawler traffic. Most traffic patterns involve some amount of crawler traffic, such as marketing bots, product restock checkers, feed fetchers, and so on. This traffic usually hits category pages, product detail pages, and Product-Variation calls. At times, the hit rate (requests per second) of crawler traffic becomes substantial, consuming valuable processing seconds and hindering the user experience for human shoppers. Typically, customers can manage crawler bots with effective rate limiting at the CDN layer. However, sometimes crawler bots generate enough IPs to evade even the most effective rate limit radars, warranting the use of a specialized bot mitigation solution.
- Discounted high-resale products. Sale items with a high resale value include **** limited release shoes, celebrity branded items, and in general, merchandise that is highly promoted presale. Malicious bots try to buy as much highly sought after inventory as possible during a flash sale, maximizing chances for hefty resale profits. This situation makes it much more challenging for human shoppers to complete purchases.
- Business requirements. A business requirement might limit the sale of an item to one per shopper or household. This requirement also means limiting bot sales to one successful transaction, if any. Typically, bots try to overwhelm a site and maximize the number of successful checkouts.
- General popularity or hype. The hype surrounding a particular line of apparel or shoes, or perhaps a single product in limited release can be substantial. Hype almost always attracts sophisticated bots, and typically, warrants working with a third-party bot mitigation partner to stop them.
What third-party solutions does Commerce Cloud recommend for enhancing security against advanced bots?
Commerce Cloud provides a robust partner ecosystem on the LINK Marketplace, our Technology Partner Program. Partners like PerimeterX and Datadome provide pre-built cartridge integrations for B2C Commerce. In scenarios where customers are concerned about fraudulent orders, customers can also subscribe to fraud prevention services like Cybersource or Forter. We recommend that customers do their due diligence and choose a solution that meets the needs of their sale event, and then, enable that solution according to the best practices recommended by the partner.
Why should I consider deploying a stacked CDN configuration?
For better control, increased visibility, and more flexibility in security configurations for shopper traffic versus bot traffic, customers can deploy a stacked CDN configuration. In some cases, customers migrating to B2C Commerce might already have a contract with a third-party CDN provider, offering the features and configurations that are specific to their business needs. In other cases, customers might want to enable features that are not available out-of-the-box from the B2C Commerce embedded CDN. In these scenarios, you can choose to stack a third-party CDN in front of the B2C Commerce eCDN. For more information, see Steps to stack a CDN in front of the embedded CDN.
Are there any disadvantages of stacking a third-party CDN in front of the B2C Commerce eCDN?
A stacked CDN will change the view of traffic to lower CDNs. For example, some protection capabilities, such as the Web Application Firewall (WAF), the firewall, rate limiting, geo IP blocking, and so on, might result in false positives. To avoid these false positives and unintentionally blocking traffic, customers can add the IP address ranges for the third-party CDN to the B2C Commerce eCDN trusted IP list. To adequately protect customer web origins, we strongly recommend that customers enable protection capabilities at the third-party CDN stacked in front of B2C Commerce eCDN.
Can customers use only a third-party CDN and request removal of the B2C Commerce eCDN?
Customers can use the CDN of their choice by stacking it in front of the B2C Commerce eCDN. However, even when stacking another CDN, traffic must pass through the B2C Commerce eCDN to ensure a single point of entry into our infrastructure. The B2C Commerce eCDN is an embedded feature that’s required for platform functionality, and it provides availability and security benefits.
With traffic flowing through the embedded CDN, B2C Commerce can help to control and protect customer origins from bots, bad actors trying to subvert customer controls, and distributed denial-of-service (DDoS) attacks. The embedded CDN helps us to assist customers during incidents, provides observability into site performance, and protects the B2C Commerce infrastructure.
What are the configuration best practices for flash sales?
For detailed information about hosting a successful flash sale, see Bot Mitigation Best Practices for Flash Sales and Launching a Successful Flash Sale. In addition, follow Traffic Management Best Practices to regulate the flow of traffic coming into customer origins.
What are some configuration best practices for the outermost CDN in a stacked CDN setup?
In a stacked CDN setup, B2C Commerce eCDN protection capabilities, such as the Web Application Firewall (WAF), the firewall, rate limiting, geo IP blocking, and so on, are effectively bypassed. In this scenario, we strongly recommend that customers enable these capabilities at the outermost CDN that’s stacked in front of the B2C Commerce eCDN.
The outermost CDN should also monitor malformed URLs and block them at the outset. Add the CDN and other legitimate IP ranges in the allowlist for the B2C Commerce eCDN. Customers with a specialized bot management solution should implement that solution at the third-party CDN (outermost CDN) to regulate the flow of traffic flowing into the B2C Commerce eCDN and origin. Use secret headers at the outermost CDN to ensure that incoming requests are routed through the correct zone in the outermost CDN. For more information, see Steps to stack a CDN in front of the embedded CDN.
What are the ways of deploying third-party bot solutions on B2C Commerce?
Customers can deploy third-party bot solutions at the origin by using cartridges or at the stacked CDN level (outermost edge). Some customers choose to deploy at both layers, implementing a defense-in-depth strategy.
Bot detection and mitigation at the origin by using cartridges requires consumption of resources at the B2C Commerce application layer. When choosing this strategy, take into account the volume of traffic and the characteristics of the sale event.
On the other hand, blocking bots at the edge (by using a stacked CDN, or otherwise) regulates the traffic flowing into the eCDN and prevents resource exhaustion at the origin. However, this strategy requires following stringent best practices to avoid subversion.
For bot management, what are customers responsible for compared to Salesforce B2C Commerce?
Successful bot management requires multiple approaches and a defense-in-depth strategy, including many different tools, configurations, and best practices. This defense-in-depth strategy requires a shared responsibility model between Salesforce and our customers.
To help protect customer origins, B2C Commerce provides multiple features out-of-the-box with our embedded CDN. However, customers are responsible for configuring firewalls on our eCDN so that legitimate traffic from known IP addresses (such as proxies, stacked CDNs, and so on) is allowed, and traffic from other sources is blocked or challenged. Customers are also responsible for setting the appropriate sensitivity levels in the firewall and enabling Web Application Firewall (WAF) rules to protect against OWASP top 10 attacks.
For flash sales, customers should evaluate the characteristics of the sale event and consider implementing specialized bot management solutions. If storefronts experience performance issues, customers should identify individual pages or controllers that are under attack, and can raise the threat level of their entire site by using B2C Commerce eCDN settings, while continuing to identify which specific areas are being attacked.
On a continuous basis, customers should analyze traffic patterns and call formats to their origin to identify malformed URLs that are hitting their origin. Customers can use third-party bot monitoring tools or CDNs stacked in front of the B2C Commerce eCDN. After customers identify unwanted traffic, Salesforce B2C Commerce teams can help implement custom firewall rules to block or challenge this type of traffic.
The Salesforce B2C Commerce team is responsible for monitoring the availability of our multi-tenant commerce platform. B2C Commerce will enforce rate limits, firewall rules, and other protective controls on a routine basis to maintain the availability of our platform.
Under what conditions should customers enable the Under Attack mode in Business Manager?
Under Attack mode presents a CAPTCHA to every unique user before they're allowed to see the storefront. During an attempted distributed denial-of-service (DDoS) attack, use this mode only as a last resort to stop the attack.