7 results found

1. Bot prevention measures

   Please note: this idea required splitting so that various points may be addressed as information becomes available.

   New request:

   1. Bot Protection - Challenge suspected bots to confirm user authenticity
   2. Bot detection with javascript to identify headless browsers
   3. Any other WAF rules to protect the website from anonymous usage and attacks

   Original request:

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks
   3. Bot Protection - Challenge suspected bots to confirm user authenticity
   4. Bot detection with javascript to identify headless browsers
   5. Captcha functionality - when users initially come into the site or users are starting an order or users are entering credit card information
   6. WAF compromised credentials check
   7. Any other WAF rules to protect the website from anonymous usage and attacks

   There are multiple problems if there are no proper security rules in place.

   • Problem-1: Websites are going down – Loss of business and sales
   • Problem-2: There are many unnoticed attacks, as we know the attacks only after the websites go down
   • Problem-3: There is a possibility of data mining from our websites if there is no security rules

   Please note: this idea required splitting so that various points may be addressed as information becomes available.

   New request:

   1. Bot Protection - Challenge suspected bots to confirm user authenticity
   2. Bot detection with javascript to identify headless browsers
   3. Any other WAF rules to protect the website from anonymous usage and attacks

   Original request:

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the… more
   11 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminNathan Brown (Technical Senior Product Manager, Optimizely) responded

   We are currently building support in CFG for Cloudflare for SaaS/O2O, which will allow customers to implement and maintain their own Cloudflare WAF in front of Optimizely's. If a customer chooses to stand up their own WAF, they would be able to tailor it to fit their business needs specifically by including things like rate limiting, bot protection, and other Cloudflare configurations.

   Note: Optimizely does already take action to mitigate attacks by working with the customer to implement challenges and/or specific rules for the issues the customer is experiencing.

2. Proactive Site Monitoring

   Opti should provide proactive site monitoring to its configured commerce customers. Customer should received an alert from Opti about server errors, hosting issues, site restarts, etc. As hosting provider, Opti should support the platform from this perspective and not be reliant on Partners or the Customers to address these types of errors.

   9 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminNathan Brown (Technical Senior Product Manager, Optimizely) responded

   This work is in progress across multiple areas of the product, including: Mission Control alerts/notifications, Cloudflare O2O support, proactive query analysis in CFG, and other performance improvements.

   
   

   Please see documentation around Mission Control's new Notifications tab - this is the main area where we will be including more alerts in the coming months: https://support.optimizely.com/hc/en-us/articles/44077180697997-Build-and-deploy-notifications

3. Website Stability via Rate Limiting

   Please note: this idea required splitting so that various points may be addressed as information becomes available.

   New request:

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks

   Original request:

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks
   3. Bot Protection - Challenge suspected bots to confirm user authenticity
   4. Bot detection with javascript to identify headless browsers
   5. Captcha functionality - when users initially come into the site or users are starting an order or users are entering credit card information
   6. WAF compromised credentials check
   7. Any other WAF rules to protect the website from anonymous usage and attacks

   There are multiple problems if there are no proper security rules in place.

   • Problem-1: Websites are going down – Loss of business and sales
   • Problem-2: There are many unnoticed attacks, as we know the attacks only after the websites go down
   • Problem-3: There is a possibility of data mining from our websites if there is no security rules

   Please note: this idea required splitting so that various points may be addressed as information becomes available.

   New request:

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks

   Original request:

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of… more
   6 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminNathan Brown (Technical Senior Product Manager, Optimizely) responded

   We are currently building support in CFG for Cloudflare for SaaS/O2O, which will allow customers to implement and maintain their own Cloudflare WAF in front of Optimizely's. If a customer chooses to stand up their own WAF, they would be able to tailor it to fit their business needs specifically by including things like rate limiting, bot protection, and other Cloudflare configurations.

   Note: Optimizely does already take action to mitigate attacks by working with the customer to implement challenges and/or specific rules for the issues the customer is experiencing.

4. Request for an out of the box configuration setting for when sessions are fully expired

   Request for an out of the box configuration setting for when sessions are fully expired:

   • Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
   • In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)

   Incomplete Client-Side Inactivity Timeout: We have two different issues with this vulnerability,
   • If a customer steps away from their system without an automatic logout after a period of inactivity, there is a risk that others may access sensitive information. (They can’t take any action, however they can see all the information on that current page)
   • Customers believe they are still logged in while attempting to check out or submit orders, only to find themselves logged out unexpectedly. This can be frustrating for them.

   This issue was raised as a security vulnerability by security audit team and it’s also customer experience issue (they are not aware of session expiration). This is already in your tracker but it’s mentioned as “Working as Designed.” but it’s a security issue. Please consider this as a security fix.
   Incomplete Client-Side Inactivity Timeout Low When a user’s session expires, their active window is not redirected to a timeout or login page. Any information on the page remains exposed. Working as Designed. This is currently designed behavior on Storefront, any action on a website after session timeout will redirect user to SignIn page.

   Request for an out of the box configuration setting for when sessions are fully expired:

   • Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
   • In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)

   Incomplete Client-Side Inactivity Timeout: We have two different issues with this vulnerability,
   • If a customer steps away from their system without an automatic logout after a period of inactivity, there is… more

   6 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   3 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminSara Winter (Principal Product Manager, Optimizely) responded

   Great news! Our team is anticipating releasing this feature in June 2026. I'll provide another update once the release has been completed.

5. Enable Cloudflare's leaked credentials detection

   Please note: this idea required splitting so that various points may be addressed as information becomes available.

   New request:

   1. WAF compromised credentials check

   Original request:

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks
   3. Bot Protection - Challenge suspected bots to confirm user authenticity
   4. Bot detection with javascript to identify headless browsers
   5. Captcha functionality - when users initially come into the site or users are starting an order or users are entering credit card information
   6. WAF compromised credentials check
   7. Any other WAF rules to protect the website from anonymous usage and attacks

   There are multiple problems if there are no proper security rules in place.

   • Problem-1: Websites are going down – Loss of business and sales
   • Problem-2: There are many unnoticed attacks, as we know the attacks only after the websites go down
   • Problem-3: There is a possibility of data mining from our websites if there is no security rules

   Please note: this idea required splitting so that various points may be addressed as information becomes available.

   New request:

   1. WAF compromised credentials check

   Original request:

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks
   3. Bot Protection - Challenge suspected bots to confirm user… more
   5 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Building  ·  AdminNathan Brown (Technical Senior Product Manager, Optimizely) responded

   We are currently building support in CFG for Cloudflare for SaaS/O2O, which will allow customers to implement and maintain their own Cloudflare WAF in front of Optimizely's. If a customer chooses to stand up their own WAF, they would be able to tailor it to fit their business needs specifically by including things like rate limiting, bot protection, and other Cloudflare configurations.

   Note: Optimizely does already take action to mitigate attacks by working with the customer to implement challenges and/or specific rules for the issues the customer is experiencing.

6. Promotions - BOGO Improvement

   We are having an issue with a Buy One Get One Free Promo. 
   [It requires too many promotions to be setup to be able to support this type of promotion.]

   This promo does work when you just order 1 of the MILW 3697-22 and you get a free MILW 48-11-1865
   BUT if a customer were to order more than 1 lets say 4 for example, it's only still giving them 1 free MILW 48-11-1865 when it should give them 4 free MILW 48-11-1865, since it is a Buy one Get one.

   [Multiple promotions are required to set this up which result in potentially hundreds of promotions to support a single BOGO type campaign]

   If I were to walk into a retailer like Home Depot or Lowe’s, or place an order on their websites, I would be able to add four qualifying items and receive four batteries for free, as outlined in my example.

   With all due respect, this type of functionality is fairly common within eCommerce. It would be beneficial to see more forward-thinking development around promotional capabilities to better align with standard market expectations and customer buying behavior.

   We are having an issue with a Buy One Get One Free Promo. 
   [It requires too many promotions to be setup to be able to support this type of promotion.]

   This promo does work when you just order 1 of the MILW 3697-22 and you get a free MILW 48-11-1865
   BUT if a customer were to order more than 1 lets say 4 for example, it's only still giving them 1 free MILW 48-11-1865 when it should give them 4 free MILW 48-11-1865, since it is a Buy one Get one.

   [Multiple promotions are required to set this up which… more

   •  

   3 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   Building  ·  1 comment  ·  Delete…  ·  Admin →

7. Enable 3DS API Integration Support for Bambora

   Bambora currently supports 3D Secure (3DS) authentication, which is an industry-standard security protocol designed to reduce fraud and increase authorization rates during online transactions. However, Configured Commerce does not currently offer out-of-the-box support for Bambora's 3DS API integration.

   This would include:

   • UI/Settings support to enable/disable 3DS within Bambora configurations.

   • Backend integration to perform 3DS authentication flows as part of the payment process.

   Priority: high - currently unnecessary risk for TD/Bambora enabled customers to accept online payments without 3DS.

   1 vote

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   Building  ·  0 comments  ·  Delete…  ·  Admin →