Practically every modern retailer has an online presence where their products and services can be purchased by new and returning customers. The average consumer practically expects it, and they often want the shopping experience to be smooth, easy and secure.
Whether you’re just now beginning to expand your online retail presence, or have a more established site that you want to increase conversions on, view this presentation to learn the following:
- Common pitfalls and shortcomings in many online retail sites
- Guidance on protecting your site against fraudulent attacks
- Tips to increase your site reliability and performance
- How Cloudflare can help you
Founded in 2010, we have over 700 employees who speak over 41 different languages.
We’re Headquartered in San Francisco, and have offices in New York, London, Singapore, as well as regional offices in 4 other cities.
From a growth perspective, we have a very strong balance sheet and are continually reinvesting into our products, people, network and research and development.
https://jira.cfops.it/browse/MRK-5212# Talk Track
Cloudflare leads other performance and security providers in addressing each of the three major requirements:
Cloudflare works at a global scale with an anycast network of 120+ global data centers serving 10% of all HTTP internet traffic and 38% of all DNS queries to over 2.5 billion visitors on behalf of our 7 million customers. Every Cloudflare data center supports every Cloudflare security and performance product including: dynamic routing, caching, DDoS mitigation, SSL termination, DNS, WAF and more. Even the largest of Cloudflare customers can onboard in under 5 minutes. Cloudflare’s easy to use dashboard, API, and included support make initial configuration and any required changes simple to complete.
Three factors are leading many of our customers to experience a growing exposure to security threats:
Greater attack surface results from three common trends: Applications publishing more public APIs Companies are moving more applications, including production-level workloads, to the cloud Increasing third-party integrations
Attackers are stronger. Here are three ways: Greater volume, greater distribution, including IoT devices as sources Greater motivation through success of holding companies for ransom Shifting to harder to detect and block “application” layer attacks
A greater attack surface area along with stronger attackers would, alone, be a big concern. But at the same time, there is Greater scrutiny for security incidents:
Governments are applying greater scrutiny over privacy and data issues Media reports of breaches and cybersecurity incidents have increased Individual consumers more are educated and aware with high-profile reporting (a combination of #1 and #2)
Questions: Do any of these actually sound familiar for your business? Do you believe your exposure is decreasing, increasing or is the same? In what ways?
Background Reading - you can build this into your talk track:
Companies are facing increased pressures to strengthen their security posture. Three forces contributing to the pressure are:
Attack surface area increases from applications exposing more public APIs, the increase in SaaS adoption, and the integration with more third-party applications Attackers are stronger, more sophisticated, and highly motivated Heightened public and government scrutiny of data, privacy, and security
Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices online, they are able to wage highly distributed volumetric attacks with greater ease and impact.
In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application-layer or "Layer 7" attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact.
Attackers are able to monetize their attempts to bring down sites or steal sensitive data, for example, by holding sites for ransom. As a result, because of the successful ransom payouts by their enterprise targets, the attackers are more motivated, organized and pervasive.
Talk Track: In light of this growing exposure to security risks, what are those primary threats you may encounter?
We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting:
Site is unavailable because of denial of service attack Customer data is compromised, (e.g. breached or stolen) Increasingly, abusive bot activity
For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like.
Which, if any, of these are most important for you? For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
Talk Track: This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well.
The important take-away is that these attacks are layered.
In other words, a DDoS can attack different parts of your infrastructure.
Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable Amplification: using a DNS to amplify requests and overload yours server over UDP HTTP Flood: volumetric HTTP attack to bring down the application
All of those attacks impacts availability and performance of of websites, applications and API’s.
Questions: This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that? Which have you experienced in the past, if any? How did you respond to them if you did?
Talk Track: When it comes to compromise of sensitive customer data, you may be most familiar with malware.
While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft.
The take-away for this slide is that attackers can take advantage of different vulnerabilities.
DNS Spoofing: visitors are directed to a fake site instead of your site A compromised DNS record, or "poisoned cache," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts.
Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers.
Brute Force: attackers are repeatedly trying credentials to take over an account Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application.
The risk is that sensitive customer data, such as credit card information, might get compromised.
As customer expectations increase, as the importance of mobile rises, and as users globalize faster, these three forces strain application performance.
The top three performance concerns resulting from these major shifts are the following:
Slow web pages, applications or APIs due to heavier “content” or longer distances to the origin Slow mobile experiences, for both sites accessed over mobile, or native mobile apps Unavailable applications through overloaded infrastructure, congested networks, or unexpected, hard-to-troubleshoot issues with the application itself Let’s look at the some of the underlying causes of these problems:
Heavier pages and long distances from the origin slow down sites or applications. Higher expectations results in heavier pages. More global user base increases distances from the origin
Mobile clients introduce performance and content delivery constraints that hurt user experience: Lower power and memory Poor networks Frequent calls to origin
Overloaded or unavailable infrastructure stops users from accessing applications Because of richer interactions and more business transacting online, availability and disaster recovery even more important
Which, if any, of these are most important for you?
For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
How geographically distributed is your customer base?
Have you run into any performance problems when trying to create richer content or more interactive experiences?
Have you seen a shift towards more mobile users? What % of customers are coming from mobile devices? Are mobile users more or less engaged than traditional users?
Have you had unplanned outages? How do you handle outages? Do you have an action plan?
Heavier pages take longer to load.
More interactivity and personalization requires more trips to the origin. Content is more personalized and pulls from data-store Interactivity sends more requests to the origin Passive data collection back at the origin (?)
Move global, faster Customers are further away from origin so content have further distances to travel Global base increases numbers of customers with slower networks
In an article on Wired, the average size of the website is now 2.3MB, which is larger than a famous computer game called Doom was when it was first released. "The Average Webpage Is Now the Size of the Original Doom", Klint Finley, 4.23.16, Wired https://www.wired.com/2016/04/average-webpage-now-size-original-doom/ "Today’s average webpage, meanwhile, requires users to download about 2.3MB worth of data, according to HTTP Archive, a site that tracks website performance and the technologies they use."
When it comes to customer mobile experience, the same issues we just discussed for web pages, application, or APIs hurt the user experience even more. Mobile clients add latency when decompressing and rendering images, processing client side code, and establishing connections because of less performance CPU, memory, and power compared to desktops. Mobile devices often connect to spottier and lower throughput networks, which increase latency and errors Mobile apps also typically increase the number of API calls needed, which reduces the effectiveness of caching and required requests to travel longer distances to the origin.
Growth in mobile usage, traffic, and transactions compounds existing performance issues found on desktop. Mobile clients introduce performance and content delivery constraints that hurt user experience.
Mobile devices have limited compute, memory and power which slows ability to process content like images or client-side code.
Networks are often slower and more erratic:
Mobile network operators throttle: https://opensignal.com/blog/2015/06/16/data-throttling-operators-slow-connection-speed/ Mobile networks introduce latency: https://serverfault.com/questions/387627/why-do-mobile-networks-have-high-latencies-how-can-they-be-reduced and https://en.wikipedia.org/wiki/Radio_Resource_Control Mobile customers move from hot spot to hot spot, and tower to tower
Mobile apps designed around API requests to origin:
The other primary problem occurs when performance degrades so badly due to network congestion or overloaded infrastructure, that the applications stop becoming available to users altogether.
The common causes of unavailability include the following:
Applications or individual origin servers experience unexpected downtime and hard-to-troubleshoot outages. Traffic, both good or bad, exceeds capacity of a specific origin server or data center, making them unavailable. Many companies have a manual, error prone disaster recovery and in-house load-balancing, which increases risks of application failure while adding maintenance and operational costs
Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
Practical Tips to Improve your eCommerce Website Performance and Security
Practical Tips to Improve your
eCommerce Website Performance
2010 Launched at Techcrunch disrupt
700+ employees and counting
San Francisco // London // Singapore // Austin // Miami
Washington D.C. // Champaign // Boston // New York
Cloudflare at a glance
The Cloudflare Advantage
Integrated Performance, Security, and Reliability
9.5 M domains and routing traffic for
Data Centers with
15 Tbps capacity
HTTP Internet traffic
10% All DNS queries
Argo Workers Latest Web
eCommerce News Events
$90 million lost in a concentrated 75
Millions of contact information,
usernames and encrypted passwords
Personal information and credit card
information potentially exposed to a
Factors increasing exposure to security risks
Greater scrutiny by
government and media
around data, privacy
Greater attack surface area
from more public APIs, moving
to the cloud, and increasing
Stronger and more
Customers’ Security Threats
Attack traffic impacts
availability or performance
Multi-vector attacks that
Volumetric DNS Flood
DNS Server Server
Amplification (Layer 3 & 4)
HTTP Flood (Layer 7)
Degrades availability and performance of applications, websites, and APIs
Types of DDoS Attack Traffic
Application and API Vulnerabilities
eg: SQLi that ex-filtrates PII
Bots Brute Force
Customers’ Performance Challenges
Overloaded or unavailable
infrastructure stops users
from accessing applications
Applications and API
Heavy pages and long
distances from the origin
slow down Internet
applications and APIs
Slow Mobile Sites
Mobile clients introduce
performance and content
delivery constraints that
hurt user experience
Slow Web Pages, Applications, and APIs
Business, customers, and users
are more globally distributed,
requiring content to travel longer
Heavier pages from more and
bigger assets like images and
More interactivity and
more trips to the origin
Slow Mobile Sites and Apps
Mobile devices have limited
compute, memory and power
which slows down processing
content like images or client-side
Mobile apps use APIs which
increase calls to the origin
Mobile devices have
slower and more erratic
networks which hurts
Overloaded or Unavailable Infrastructure
Applications or individual origin
servers experience unexpected
downtime and hard-to-troubleshoot
outages, which prevent user access
Traffic, both expected and unexpected,
exceeds capacity of the origin server or
data center, making them unavailable
or less performant
Manual disaster recovery and in-
house load-balancing exposes
applications to downtime while
increasing maintenance and
Deploy rate-limiting on
Cloudflare and build it
into our software.
Never rely on a single
point of protection.
Locking down systems
to particular networks
using Cloudflare URL
lockdown rules and only
provide access to what
is needed - the principle
of least privilege.
Ensure that all customer
HTTPS at the application
Web App Firewall
Enabled WAF on all of
our sites - we're a
common target for
scraping since we
advertise prices on our
sites, utilise the WAF not
only for protection but
also to stop fake bots
from scraping our sites.
Security Best Practices
With Cloudflare we
specify what we don’t
want to cache - any new
pages added to our site
get cached by default.
We minify all of our
content using Cloudflare
Auto Minify. This
download times on
mobile, and reduces our
bandwidth costs as well.
Smart Routing and
The cost of network
latency can often be
overlooked and it's
important that the
customer receive the
fastest route to our
A 50 millisecond win
through smart routing is
a win that applies to all
of your requests.
Async Script Loading
deferred and loaded
parallel with each other)
- we currently utilise
Loader on 50% of our
sites to achieve this
having to make changes
to our underlying code.
Performance Best Practices
Customer Case Study:
• Protection against DDoS attacks
• Maintain performance
• Automatic DDoS mitigation for layer 3 & 4 attacks
• Global CDN
• Peace of mind with a protected, secured app
• Prevents significant, six figure revenue loss
de Bijenkorf is a luxury
department store based in the
Netherlands dedicated to
surprising its customers with
exceptional products through an
inspiring and unique customer
"We were really excited
about a single vendor
solution with easy setup,
easy use, maximum
protection, and a very
Head of Technology
Customer Case Study: Lenskart www.cloudflare.com/case-studies/lenskart/
Lenskart has sprinted to be India's
fastest growing eyewear business
Application Firewall blocks
over 30,000 threats from
hitting our website every
month,” Barat noted. “We
process sensitive customer
data, so having Cloudflare
as an extra layer of
protection to prevent
exfiltration of that data
brings us peace-of-mind.
Plus, with Cloudflare’s DDoS
mitigation we know our site
won’t experience costly
• Protecting Customer Data
• Rapid growth meant high notoriety for attack
• Sensitive data protected with 30,000 WAF blocks per month
• 72% (8Tb) bandwidth savings with CDN
• DDoS mitigation
Customer Case Study:
Touch of Modern
• “We save customer credit cards for reuse, which provides a more
convenient shopping experience, but if a customer account got
breached, it could result in unauthorized credit card charges, which
would be a nightmare for both us and our customers.”
• Global CDN with 150+ Data centers
• Argo Smart Routing
• Sensitive Customer data protected
• Estimated 5% increase in conversion with a faster website
• 27% faster web presence with Argo Smart Routing
Touch of Modern is a curated
commerce destination for the modern
man. “We discover the most
interesting products in the world,”
explained Steven Ou, CTO of Touch of
Modern, “and make them available to
you at unbeatable prices.”
“Cloudflare helps keep us
online, provides a faster site
experience to our end
users, and protects our
Customer Case Study: NatureBox www.cloudflare.com/case-studies/naturebox/
NatureBox is a leading packaged
food provider offering their products
through their online store and
“We use Cloudflare . . .
to cache all of our non-
customer specific data,
including our entirety of our
product catalog, inventory,
etc. so that we can deliver
those responses to the
customer as fast as
• “Having a quick website is very integral to us being able to sell a
• “One of our main API requests for our catalog data was taking on
average 20 seconds”
• Application Security
• Completely edge cached response to ~ 35 ms response time
• Single vendor for every solution (DNS, CDN, Security)