You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In stacked CDN setups, or when you're calling controllers or OCAPI, it can be useful to identify traffic originating from MRT such that you can configure firewall rules to allow it.
Today, it is possible to identify traffic that likely came from MRT but requires works to guarantee it.
The most straight forward way to provide some level of security is to inspect incoming HTTP requests for the x-mobify: true request header.
If you must identify requests from MRT, you can move requests to the App Server (ssr.js) and use an environment variable to a shared secret HTTP header ... but the App Server isn't optimized for forwarding requests like proxies are.
In some scenarios, we've seen the Storefront zone hosted on eCDN block traffic originating from MRT. To resolve, review your eCDN Allow Lists and Security Settings in Business Manager allowing traffic from MRT:
In stacked CDN setups, or when you're calling controllers or OCAPI, it can be useful to identify traffic originating from MRT such that you can configure firewall rules to allow it.
Today, it is possible to identify traffic that likely came from MRT but requires works to guarantee it.
The most straight forward way to provide some level of security is to inspect incoming HTTP requests for the
x-mobify: true
request header.This is present in proxy requests:
https://playground-20x-us-west-1.mobify-storefront-staging.com/mobify/proxy/httpbin/headers
https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/proxying-requests.html#request-and-response-modifications
From there, you can also seek to allow only AWS IPs from the
EC2
andCLOUDFRONT_ORIGIN_FACING
ranges:https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/mrt-overview.html#constraints
But this is a rather large set!
If you must identify requests from MRT, you can move requests to the App Server (
ssr.js
) and use an environment variable to a shared secret HTTP header ... but the App Server isn't optimized for forwarding requests like proxies are.https://github.com/salesforceCommerceCloud/pwa-kit/compare/example-using-proxy
Ideally, we'd have some way to add a shared secret to out-going requests from MRT.
The text was updated successfully, but these errors were encountered: