Salesforce B2C Commerce 24.7 > Administering Your Organization > Global Preferences

Security Settings

Configure Business Manager security settings. Configuring login settings only applies to accounts that haven't migrated to unified authentication. Unified authentication links the login of all Business Manager instances to the Account Manage login. As of 19.5, all new instances are linked to the Account Manager login.

  • Migrate Users to Unified Authentication Via Account Manager
    Let your users log into their instances via Account Manager by migrating them to Unified Authentication. Once migrated, users need to manage only one set of login credentials. You can increase security on your instances by using Account Manager's two-factor authentication.
  • Configure Login Settings
    In Business Manager, it's important to configure user password restrictions and login lockout policies. All the possible values ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS).
  • Configure Access Settings
    Limit access based on IP addresses. If you don't provide a allowlist or blocklist, the feature isn't active and these settings have no effect.
  • Configure the Enforce HTTPS Global Preference
    You can enforce the use of HTTPS for all sites in an instance. When this setting is enabled, URLs are generated using the HTTPS protocol, and incoming page requests that use HTTP are redirected to HTTPS. HTTP requests to OCAPI's session bridge aren't accepted. Also, instead of a combination of session cookies and secure tokens, secure session cookies are used, which helps avoid incorrect (false positive) session hijacking detections. You must enable the Enforce HTTPS global preference to let browsers send cookies in cross-site contexts.
  • Set HSTS for Business Manager in Global Preferences
    HTTP Strict Transport Security (HSTS) can substantially improve the security of the Business Manager. It secures Business Manager by instructing web browsers to access the domain using only HTTPS.
  • Create CSRF Allowlists
    Configure how your site handles CSRF allowlists.
  • Clear SFTP Known Good Hosts
    Business Manager remembers hosts previously used for SFTP. You can clear these remembered known hosts.
  • Add a System Use Notification Message
    You can create a system use notification message that displays when your users log in. You can also require them to acknowledge this message before continuing to log in.

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.