Salesforce B2C Commerce 24.7 > Developing Your Site > Code Deployment

Configure Secure Code Uploads

To upload code securely, use two-factor authentication to upload the code to the staging instance. After the code is on the staging instance, use code replication to propagate the code from staging to the production instance.

For a human user, use a Business Manager or Account Manager username and password as the first factor for uploading to staging. For an automated script, use Account Manager to get an authorization token for a Client ID and use that as the first factor. See OCAPI OAuth 2.0 23.2 for details about authenticating an API client. The second factor of authentication for code uploads to staging is always a client certificate. To enforce this process of secure uploads, make sure that your configuration requires two-factor authentication for uploading code to the staging instance, and disallows code uploads to the production instance. As of August 1, 2020, Salesforce mandates these settings.
  1. See if two-factor authentication is required for uploading code to your staging instance and enable if necessary:
    1. Log in to Business Manager on the staging instance as a user with administrative privileges.
    2. Go to Adminstration > Site Development > Development Setup.
    3. Look at the status message under WebDAV Access, Cartridges.
      If the message is A client certificate is required to upload code to this instance type, two-factor authentication is already enabled. If the message is A client certificate isn't required to upload code to this instance, two factor-authentication isn’t enabled and you must enable it, as described in the next step.
    4. To enable two-factor authentication, go to Administration > Global Preferences > Security > Access Restriction and select Require client certificate for code uploads.
      When you require the client certificate for code uploads, the option to configure this setting is no longer available in Business Manager. Only Salesforce Customer Support can revert the setting.
  2. See if code uploads are allowed to your production instance and disallow if necessary:
    1. Log in to Business Manager on the production instance as a user with administrative privileges.
    2. Go to Adminstration > Site Development > Development Setup.
    3. Look at the status message under WebDAV Access, Cartridges.
      If the message is Uploading code to this instance type isn't allowed, code uploads are disallowed to the production instance. If the message is Uploading code to this instance type is allowed, code uploads are allowed to production and you must disallow uploads, as described in the next step.
    4. To disallow code uploads, go to Administration > Global Preferences > Security > Access Restriction and select Disallow code uploads.
      When you disallow code uploads, the option to configure this setting is no longer available in Business Manager. Only Salesforce Customer Support can revert the setting.
Related concepts
Code Upload
WebDAV Authentication and Authorization
General Secure Coding Practices
Related tasks
Deploy and Replicate Code
Generate, Sign, and Use Client Certificates for Secure Code Uploads

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.