6 results found

1. Cloudflare WAF Rules

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks
   3. Bot Protection - Challenge suspected bots to confirm user authenticity
   4. Bot detection with javascript to identify headless browsers
   5. Captcha functionality - when users initially come into the site or users are starting an order or users are entering credit card information
   6. WAF compromised credentials check
   7. Any other WAF rules to protect the website from anonymous usage and attacks

   There are multiple problems if there are no proper security rules in place.

   • Problem-1: Websites are going down – Loss of business and sales
   • Problem-2: There are many unnoticed attacks, as we know the attacks only after the websites go down
   • Problem-3: There is a possibility of data mining from our websites if there is no security rules

   Please help with implementing below security features ASAP. There are so many frequent attacks on the website that causes the websites to go down.

   1. Geographical Rate Limiting - Add rules with rate limiting for traffic outside of specific countries (Challenge beyond the primary range/limit and block beyond the secondary range/limit)
   2. Basic Rate Limiting - Can we add a rule with rate limiting to block DoS attacks
   3. Bot Protection - Challenge suspected bots to confirm user authenticity
   4. Bot detection with javascript to identify headless browsers
   5. Captcha functionality - when users initially come into the site or users are starting an order… more
   6 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   1 comment  ·  Delete…  ·  Admin →
   Closed  ·  AdminDominic Hartjes (Senior Product Manager, Optimizely) responded

   Thank you for your feedback!

   This feedback item has been split to enable updates on the various different questions as they become available.

   • Rate limiting related questions (1 and 2): https://feedback.optimizely.com/redirect/suggestions/50742092
   • Bot Protection related questions (3, 4, 7): https://feedback.optimizely.com/redirect/suggestions/50742158
   • Captcha functionality (5): https://feedback.optimizely.com/redirect/suggestions/50742185
   • WAF compromised credentials check (6): https://feedback.optimizely.com/redirect/suggestions/50742164

2. Configured Commerce ODP connector

   Partners/ Clients would like an easy way to configure the OPD connector to pass various custom values from the configured Commerce database to ODP.

   1 vote

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Closed  ·  AdminSara Winter (Principal Product Manager, Optimizely) responded

   Thank you for submitting this request. Great news is that we already provide the ability to send custom properties to ODP and the documentation is available here - https://docs.developers.optimizely.com/configured-commerce/docs/send-custom-properties-to-odp

3. Disable Weak TLS Cipher Suites (CBC-mode Ciphers) in Managed Commerce Environments

   As part of a recent internal and third-party security assessment (conducted by Optiv Security), our organization identified that our Optimizely Configured Commerce production environment (www.whitecap.com) currently supports weak TLS cipher suites, including CBC-mode ciphers.

   These ciphers are considered outdated and potentially vulnerable to known cryptographic attacks (e.g., Lucky 13 and BEAST). Security best practices and compliance frameworks (such as PCI DSS, NIST SP 800-52r2, and OWASP guidelines) recommend disabling weak or deprecated cipher suites and enforcing stronger ones such as AES-GCM or CHACHA20_POLY1305 with TLS 1.2+ only.

   During our support engagement (Ticket #1789304), the SRE team confirmed that removing weak ciphers is not currently supported within the managed Optimizely infrastructure. We request that Optimizely provide customers with the ability to:

   Disable weak cipher suites (especially CBC-mode ciphers) at the environment level.

   Enforce modern cipher configurations (AES-GCM or CHACHA20_POLY1305).

   Optionally, provide visibility into the active cipher suite list for validation and audit purposes.

   As part of a recent internal and third-party security assessment (conducted by Optiv Security), our organization identified that our Optimizely Configured Commerce production environment (www.whitecap.com) currently supports weak TLS cipher suites, including CBC-mode ciphers.

   These ciphers are considered outdated and potentially vulnerable to known cryptographic attacks (e.g., Lucky 13 and BEAST). Security best practices and compliance frameworks (such as PCI DSS, NIST SP 800-52r2, and OWASP guidelines) recommend disabling weak or deprecated cipher suites and enforcing stronger ones such as AES-GCM or CHACHA20_POLY1305 with TLS 1.2+ only.

   During our support engagement (Ticket #1789304), the SRE team confirmed that… more

   1 vote

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Closed  ·  AdminNathan Brown (Technical Senior Product Manager, Optimizely) responded

   We acknowledge that security scanners do flag these cipher suites as weak, and they are not disabled. However, cipher configuration for Configured Commerce is managed globally through Cloudflare, and we are not able to disable these ciphers on behalf of customers; our approach is to rely on Cloudflare to proactively remove or deprecate cipher suites when publicly known vulnerabilities are discovered in them. In the event that one of these ciphers becomes a high-severity risk, Cloudflare would take action at the platform level, which would apply across all customers.

4. Stored card orders or subscription orders are not supported in cloud applications without user interaction

   This is reference to #1535075.
   We are looking for the solution: It is regarding the issue we are currently facing on the Customer project, where recurring or subscription orders (credit card payments are failing.
   According to the response provided in the referenced support ticket, it has been stated that Stored card orders or subscription orders will not be supported in cloud applications without user interaction (e.g., entering CVV.
   For context, services like Netflix in the U.S. support recurring payments without requiring user interaction for each transaction (such as CVV entry.
   In order to fulfill this requirement, we are looking for an enhancement to ensure that subscription orders can be placed successfully.

   This is reference to #1535075.
   We are looking for the solution: It is regarding the issue we are currently facing on the Customer project, where recurring or subscription orders (credit card payments are failing.
   According to the response provided in the referenced support ticket, it has been stated that Stored card orders or subscription orders will not be supported in cloud applications without user interaction (e.g., entering CVV.
   For context, services like Netflix in the U.S. support recurring payments without requiring user interaction for each transaction (such as CVV entry.
   In order to fulfill this requirement, we are looking for… more

   1 vote

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Closed  ·  AdminSara Winter (Principal Product Manager, Optimizely) responded

   While reviewing details from ticket this was resolved using existing functionality.

5. Product Feedback: feedback too big for page very distracting

   Description: This feedback thing takes up a large portion of my screen and makes it difficult to close. I'm using firefox.

   2 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   Closed  ·  0 comments  ·  Delete…  ·  Admin →

6. Budget Threshold alert related notification emails are being sent to the customer months after initial notification failed.

   Budget Threshold emails are being sent inaccurately. Configured Commmerce Customer previously had the budget threshold feature-requesting further review directly with Partner for this existing functionality.
   ENB-2730: reference for issue and advised to submit Enhancement request.

   3 votes

   Vote Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Delete…  ·  Admin →
   Closed  ·  AdminSara Winter (Principal Product Manager, Optimizely) responded

   Closing as this was believed to have been resolved via tickets and was not requiring enhancement