Learn how to enable the commercetools Frontend basic Cloud Armor firewall policy to filter the traffic for your website.
Enable firewall protection with a special HTTP header
To filter web traffic, you can enable commercetools Frontend's out-of-the-box firewall protection. You can do so by using or creating a special header in the HTTP request from the source traffic.
To filter your web traffic with a special HTTP header, the API Hub must receive the specific header when called. You can send the header by using any of the following methods:
- Add the special HTTP header in each part of your frontend code that calls the API Hub.
- Use a proxying service to proxy the traffic between Netlify and the API Hub through a Web Application Firewall (WAF).
Here are a few best practices to consider when creating or using a special HTTP header:
-
Enter the header name in lowercase (for example,
apihub
), and then specify the value. For example:request.headers["<NAME OF SPECIAL HEADER>"] == "<VALUE OF SPECIAL HEADER>" request.headers["apihub"] == "adsfa565gdsfg456asdg45as5dg5asdgf5asdf"
-
Make sure that the name of the header doesn't exceed 50 characters.
-
If you are not able to use a special HTTP header, then you can request for a bypass rule to make sure that no web traffic is filtered for you development environment. To request the bypass rule, specify the
developers_enable_bybass
attribute astrue
in your support ticket when either calling the API Hub or proxying the traffic.
Directly call the API Hub
You can add the special HTTP header in your frontend code that is to be used for authentication before it reaches the API Hub.
By directly calling the API Hub, you don't have to pay any proxying service fees. However, you do need to add the HTTP header in each part of the frontend code that calls the API Hub. If you don't do so, then the firewall policy will deny access to the code.
staging
or production
. You can use the following template to create a support ticket:
Filtering_mode : Directly calling the API Hub
//Env and project list affected
environment : staging | production
projects_to_filter : all | `max list of 3 individual projects`
//Create a rule filter based on header name only
header_filtering_mode: header_only
header_name : `name of header`
header_value: `value of header`
developers_enable_bybass : true | false
Proxy the traffic
If you prefer not to add the special HTTP header to each of your requests, then you can use a proxying service (such as CloudFlare or Akamai) to do this on your behalf. You need to subscribe, configure, and maintain the network and header details by using the proxy service's relevant documentation.
dev
/staging
/production
) for different environments, zero code modifications, and the availability of WAF capabilities. However, this option involves a more complex implementation process than directly calling the API Hub and requires you to pay proxying service fees.In addition to configuring the special HTTP header, you can also provide a filter for IP address blocks (Classless Inter-Domain Routing). This filter helps ensure that only public CDN or proxy IPs are allowed to access the API Hub. IP address filtering is your own responsibility; you have to provide and maintain the IP address blocks of your CDN or proxy. If your CDN or proxy provider starts using a new IP address and that address hasn't been previously allowlisted on the firewall, then the web traffic will be blocked even if you have correctly set up the special HTTP header for those requests.
staging
or production
. You can use the following template to create a support ticket: Filtering_mode : Proxying the traffic
//Env and project list affected
environment : staging | production
projects_to_filter : all | `max list of 3 individual projects`
//Mandatory if you want to filter by header AND IPs
allow_ips_list : null | list of ips to allow
//Create a rule filter based on header name only or with IP from `allow_ips_list` ?
header_name : `name of header`
header_value: `value of header`
header_filtering_mode: header_only | header_and_ip
//Only available on staging where devs are hosted
developers_enable_bybass : true | false
developers_header_value : null | `value of header` // header name will be `header_name`
Best practices
We recommend that you follow these best practices when using a firewall with commercetools Frontend:
After the initial implementation, limit your change requests to no more than three per month. Requests for additional changes beyond this will incur an extra charge.
Monitoring
403
return codes within either your own CDN or monitoring stack, and then create alerts to check for false positives. If a false positive occurs, then contact the Frontend support team with the relevant IP address and timestamp.Set up another web application firewall (WAF)
We recommend that you deploy a WAF in front of the commercetools Frontend infrastructure, and then allow only qualified traffic identified by the special HTTP header to pass through the WAF.