How to launch a successful Flash Sale with SFCC: Part 4

Previously, you read about the 10 steps you can take to launch a successful Flash Sale on B2C Commerce and learned about traffic management practices. But when it comes to managing vulnerabilities, you need to be aware of and gear up against bad bots. E-commerce is a common target for cybercriminals during sales, who use bad bots to scoop up a majority of inventory to resell later for profit. Read the third part of this series to know the major ways bad bots affect retailers. In this final part of our Flash Sale series, you will learn about how Salesforce helps protect against bad bots during any high-volume sale, about bot management strategies, and implementation best practices.

The Salesforce Commerce Cloud approach to bot management

In order to block bad bots in real-time, B2C Commerce’s bot protection efforts are focused mainly on maintaining the availability, stability, and performance of their multi-tenant commerce platform. The tools and extensibility within the Salesforce Commerce Cloud platform protect their customer origins. Retailers have the ownership of monitoring and tuning the controls to shield against bots. Therefore, with Salesforce, bot management is a shared responsibility.

In this approach, retailers get configurable options to protect their origins from bots by using SFCC’s embedded Content Delivery Network (eCDN). This solution gives retailers the extensibility to stack another CDN, or use a third-party bot management solution that provides fine-grained control for identifying and controlling bots, as per their specific unique requirements.

The logic behind not having bot protection solution out-of-the-box

Since each retailer has a different business strategy, CDN setup and sales pattern, Salesforce Commerce Cloud wants to avoid the straitjacket approach. If a bot protection solution is too strict or falsely recognizes bots as malicious, it could be disruptive to a few retailers. Therefore, Salesforce refrains from identifying which bots are good or bad. Neither do they determine whether certain traffic is allowed to make purchases on the commerce platform. The e-CDN allows customers to easily integrate reputed third-party solutions of their choice that are easily configurable to the business needs. Retailers can also stack another CDN.

3 factors that help retailers pick a third-party bot management solution

Retailers should consider a third-party bot management solution if a sale event meets the following criteria:

  • When the crawler traffic hit rate is higher than usual: There is some crawler traffic like marketing bots, product restock checkers, feed fetchers, etc. This traffic usually hits category pages, product detail pages, and Product-Variation calls. However, when the hit rate, i.e., the number of requests per second of crawler traffic becomes substantial, and it consumes valuable processing seconds, this impacts the UX for shoppers. With effective limiting at the CDN layer, retailers can manage the crawler bot activity. But sometimes crawler bots generate enough IPs to evade even the most effective rate limit radars. This is when you need a specialized bot mitigation solution.

  • When big discounts are on offer for high-resale value products, or there’s a lot of hype: Discounted products such as limited release shoes, celebrity branded merch, or any sale items which have been highly promoted prior to the sale or a single product in a limited release, are a soft target for malicious bots. As previously mentioned, bad bots try to buy as much highly sought-after inventory as possible during a flash sale to maximize their resale profits. Deploying a bot specialized management solution becomes necessary to make it less challenging for human shoppers to complete their purchases without the risk of unexpected stock-outs.

  • When the business requires limited sales: Typically, bots try to overwhelm a site and maximize the number of successful checkouts. In a situation where businesses decide to limit the sale of an item, for instance, to one item per shopper, they need a specialized solution. This will help limit bot sales to just one successful transaction, if any.

With the myriad of solutions on the Salesforce partner marketplace, including pre-built cartridge integrations for B2C Commerce and fraud prevention services, choosing your ideal third-party bot solution provider should depend on the type of sale event, and enable the solution based on best practices recommended by the partner.


Since the benefits largely outweigh the cons, deploying a stacked CDN is a good option for retailers seeking to adopt third-party bot management solutions. Let us now look at the best practices that help retailers reap the most benefit.

Best practices for the outermost CDN in a stacked CDN setup?

As previously mentioned, when a CDN is stacked during the implementation of a third-party bot management solution, B2C Commerce eCDN protection capabilities, such as the Web Application Firewall (WAF), the firewall, rate limiting, geo IP blocking, etc, are effectively bypassed. This is why it is strongly recommended that businesses enable these capabilities at the outermost CDN that’s stacked in front of the B2C Commerce eCDN.

The outermost CDN should also monitor malformed URLs and block them at the outset. The CDN and other legitimate IP ranges should be added to the allowlist for the B2C Commerce eCDN. A specialized bot management solution should be implemented in a way that the solution at the third-party CDN (outermost CDN) can regulate the flow of traffic flowing into the B2C Commerce eCDN and origin. For this, secret headers at the outermost CDN should be used to ensure that incoming requests are routed through the correct zone in the outermost CDN.

Best practices for deploying third-party bot solutions on Salesforce Commerce Cloud

Third-party bot solutions can be deployed at the origin by using cartridges or at outermost edge of the stacked CDN level. This can be deployed at both layers, implementing a defense-in-depth strategy.

If using pre-built cartridge solutions, bot detection and mitigation at the origin still consumes resources at the B2C Commerce application layer. That is why, when choosing this method, the volume of traffic and the characteristics of the sale event should be considered too.

However, blocking bots at the edge (by using a stacked CDN, or by any other method) regulates the traffic flowing into the eCDN. It also prevents resource exhaustion at the origin. This strategy requires following stringent best practices to avoid subversion.


As you have seen, managing bots successfully, both the good and the bad, requires multiple approaches and multiple layers of protection for more holistic protection. This defense-in-depth strategy includes different tools, configurations, and best practices and requires a shared responsibility model between Salesforce and our customers.

Since it is that time of the year when companies are planning successful strategies to efficiently prepare for the two-month shopping sprint every November and December. Along with that, quick stock clearances with the help of Flash Sales also need careful strategizing to providing the best customer experience while maximizing results. If you are expecting a large increase in your checkouts, you need to prepare months in advance.

Suggested Reading:

2021 Holiday season Guide

How to Launch a Successful Flash Sale with SFCC? Part 1

How to Launch a Successful Flash Sale with SFCC? Part 2

How to Launch a Flash Sale Part 3: Outmaneuver the bots: Best Practices for Flash Sale on SFCC