Salesforce Commerce Cloud Security Updates for B2C ecommerce

New B2C commerce security changes in Salesforce may affect business workflow

Salesforce Commerce Cloud has frequent minor releases, as well as quarterly major updates to the platform. The final quarterly release for 2020 includes a host of quality of life updates, as well some some major security lockdowns in their B2C Commerce Cloud.

Starting with Secondary Instance Groups on August 18th, 2020, and becoming Generally Available (GA) to Primary Instance Groups in the first wave on October 6th, 2020, the B2C Commerce 20.9 release includes a host of quality of life additions, as well as patching some security flaws. In this post I've highlighted some of the biggest changes coming soon to SFCC site management. 

JavaScript Not Supported in HTML Attributes

In the past, developers have been able to add open "HTML" style attributes to the database, allowing business users and developers alike to add or update HTML (or CSS, Javascript, even plain text) on the site through the Business Manager instead of through a code replication. This method is fraught with issues, even for the most well-meaning users. An issue could be as small as a business user making a mistake and placing bad data on the site. However, this method also opens the door to a bad actor compromising a Business Manager login and placing malicious Javascipt on a live site. 

To help mitigate this issue, starting with the 20.9 release only Business Manager users with specially enhanced permissions and strong authentication will be able to place Javascript in these HTML attributes. Eventually SFCC will be sunsetting the ability to add Javascript through the attributes fully, so now is a great time to start re-thinking how that code can be safely implemented in another fashion.

Use Access Key for Business Manager Login

SFCC will be releasing the ability for Business Manager users to login using an externally authenticated access key. This will be extremely helpful in business environments that already have a fully external SSO login method implemented, allowing Business Manager users to use their SSO login instead of an additional username and password. This will take pressure off SFCC Administrators to manage users separately from IT login management. 

Use the Einstein Complete the Set Recommender For New Verticals

The SFCC Einstein Recommender has recently released a new "Complete the Set" recommender for apparel and fashion accessories. In the 20.9 release, the team will be releasing a "Complete the Set" recommender for new verticals, such as home furnishings, cosmetics, and beauty products. The "Complete the Set" recommender looks through the types of products most frequently purchased together, then applies intelligence around product categories to create a "Set". This recommender becoming available for new verticals will help sites bring a full array of personalized suggestions to the consumer. 

Final Depreciation of "ServiceRegistry" Class

In the 19.10 release, SFCC depreciated the "ServiceRegistry" class in favor of an updated "LocalServiceRegistry" class. "LocalServiceRegistry" is more featureful than its predecessor and has higher security baked-in. As of the 20.9 GA release, any legacy code or cartridges installed that use the "ServiceRegistry" class will no longer function.

I hope this post is helpful in detailing some upcoming changes to your Salesforce B2C Commerce site!