Configure a firewall policy

Learn how to enable the commercetools Frontend basic Cloud Armor firewall policy to filter the traffic for your website.

Enable firewall protection with a special HTTP header

To filter web traffic, you can enable commercetools Frontend's out-of-the-box firewall protection. You can do so by using or creating a special header in the HTTP request from the source traffic.

To filter your web traffic with a special HTTP header, the API Hub must receive the specific header when called. You can send the header by using any of the following methods:

  • Add the special HTTP header in each part of your frontend code that calls the API Hub.
  • Use a proxying service to proxy the traffic between Netlify and the API Hub through a Web Application Firewall (WAF).

Here are a few best practices to consider when creating or using a special HTTP header:

  • Enter the header name in lowercase (for example, apihub), and then specify the value. For example:
    Special customer header exampletypescript
    request.headers["<NAME OF SPECIAL HEADER>"] == "<VALUE OF SPECIAL HEADER>"
    request.headers["apihub"]  == "adsfa565gdsfg456asdg45as5dg5asdgf5asdf"
    
  • Make sure that the name of the header doesn't exceed 50 characters.

  • If you are not able to use a special HTTP header, then you can request for a bypass rule to make sure that no web traffic is filtered for you development environment. To request the bypass rule, specify the developers_enable_bybass attribute as true in your support ticket when either calling the API Hub or proxying the traffic.

Directly call the API Hub

You can add the special HTTP header in your frontend code that is to be used for authentication before it reaches the API Hub.

By directly calling the API Hub, you don't have to pay any proxying service fees. However, you do need to add the HTTP header in each part of the frontend code that calls the API Hub. If you don't do so, then the firewall policy will deny access to the code.

If you decide to directly call the API, then you need to enable the firewall for your account. To do this, contact the Frontend support team. Make sure to include the elements that you want to configure by environment, which can be either staging or production. You can use the following template to create a support ticket:
Support ticket templatetypescript

    Filtering_mode : Directly calling the API Hub

    //Env and project list affected
    environment : staging | production
    projects_to_filter : all | `max list of 3 individual projects`

    //Create a rule filter based on header name only
    header_filtering_mode: header_only
    header_name : `name of header`
    header_value: `value of header`

    developers_enable_bybass : true | false

Proxy the traffic

If you prefer not to add the special HTTP header to each of your requests, then you can use a proxying service (such as CloudFlare or Akamai) to do this on your behalf. You need to subscribe, configure, and maintain the network and header details by using the proxy service's relevant documentation.

The benefits of using a proxying service include the flexibility to define different header values (dev/staging/production) for different environments, zero code modifications, and the availability of WAF capabilities. However, this option involves a more complex implementation process than directly calling the API Hub and requires you to pay proxying service fees.

In addition to configuring the special HTTP header, you can also provide a filter for IP address blocks (Classless Inter-Domain Routing). This filter helps ensure that only public CDN or proxy IPs are allowed to access the API Hub. IP address filtering is your own responsibility; you have to provide and maintain the IP address blocks of your CDN or proxy. If your CDN or proxy provider starts using a new IP address and that address hasn't been previously allowlisted on the firewall, then the web traffic will be blocked even if you have correctly set up the special HTTP header for those requests.

If you decide to proxy the traffic, then you need to enable the firewall for your account. To do this, contact the Frontend support team. Make sure to include the elements that you want to configure by environment, which can be either staging or production. You can use the following template to create a support ticket:
Support ticket templatetypescript
    Filtering_mode : Proxying the traffic

    //Env and project list affected
    environment : staging | production
    projects_to_filter : all | `max list of 3 individual projects`

   //Mandatory if you want to filter by header AND IPs
    allow_ips_list : null | list of ips to allow

    //Create a rule filter based on header name only or with IP from `allow_ips_list` ?
    header_name : `name of header`
    header_value: `value of header`
    header_filtering_mode:  header_only | header_and_ip

    //Only available on staging where devs are hosted
    developers_enable_bybass : true | false
    developers_header_value  : null | `value of header` // header name will be `header_name`

Best practices

We recommend that you follow these best practices when using a firewall with commercetools Frontend:

After the initial implementation, limit your change requests to no more than three per month. Requests for additional changes beyond this will incur an extra charge.

Monitoring

Set up monitoring for HTTP 403 return codes within either your own CDN or monitoring stack, and then create alerts to check for false positives. If a false positive occurs, then contact the Frontend support team with the relevant IP address and timestamp.

Set up another web application firewall (WAF)

We recommend that you deploy a WAF in front of the commercetools Frontend infrastructure, and then allow only qualified traffic identified by the special HTTP header to pass through the WAF.

Responsibility

You are responsible for configuring and maintaining your content, and you should submit update requests via support tickets. We are not responsible for any changes or omissions related to IP addresses or headers. It is your responsibility to notify the Frontend support team if your provider modifies their IP address whitelists, because we do not monitor these changes. Failure to provide this information could result in certain traffic being blocked. However, if only a special header is used, then this issue will not occur. If the header is missing, then it indicates that either you might have missed out on adding the header or the header was compromised.