Salesforce B2C Commerce 24.7 > B2C Commerce Security Guide > Security Best Practices for Developers

Supply Chain Security

Unverified software sources included through uploads and external linking represent potential vectors for attack.

  • Code Uploads
    Uploading code is a sensitive operation. Any possibility of uploading untrusted code opens the doors for malicious actors to access most of your realm’s data and capabilities, which adversely affects the confidentiality, integrity, and availability of your site and customers’ data.
  • Third-Party Libraries
    Third-party software is regularly integrated into custom code to easily add features and increase the speed to take a product to market. This practice comes at the risk of including unwanted or insecure libraries into the storefront code. Even SiteGenesis and SFRA include a number of third-party libraries. When incorporated into your custom code, they require close monitoring for potential issues and vulnerabilities.
  • Remotely Hosted Resources
    Supply chain attacks are more common in the ecommerce space today. For example, Magecart often targets third-party, remotely hosted resources to install drivebys that skim sensitive information entered on a webpage. Using only JavaScript, attackers can mine cryptocurrencies, assert machines into a DDoS network as subordinates, and even attempt to install malware directly onto the client machine for further control and compromise.

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.