As part of a recent internal and third-party security assessment (conducted by Optiv Security), our organization identified that our Optimizely Configured Commerce production environment (www.whitecap.com) currently supports weak TLS cipher suites, including CBC-mode ciphers.

These ciphers are considered outdated and potentially vulnerable to known cryptographic attacks (e.g., Lucky 13 and BEAST). Security best practices and compliance frameworks (such as PCI DSS, NIST SP 800-52r2, and OWASP guidelines) recommend disabling weak or deprecated cipher suites and enforcing stronger ones such as AES-GCM or CHACHA20_POLY1305 with TLS 1.2+ only.

During our support engagement (Ticket #1789304), the SRE team confirmed that removing weak ciphers is not currently supported within the managed Optimizely infrastructure. We request that Optimizely provide customers with the ability to:

Disable weak cipher suites (especially CBC-mode ciphers) at the environment level.

Enforce modern cipher configurations (AES-GCM or CHACHA20_POLY1305).

Optionally, provide visibility into the active cipher suite list for validation and audit purposes.