The Embedded CDN (eCDN) in Salesforce B2C Commerce Cloud is one of the platform’s more powerful — and underused — configuration surfaces. It gives you control over hostname management, SSL certificates, firewall policies, WAF rules, and image compression, all directly from Business Manager. This guide walks through the full configuration.
Accessing eCDN Settings
Navigate to Administration > Sites > Embedded CDN Settings.
Important: These settings will appear blank on Secondary Instance Groups (SIGs) or newly provisioned Primary Instance Groups (PIGs) until aliases are configured first. Configure your aliases before expecting anything to appear here.
Configuring Zones and Hostnames
Step 1: Access Embedded CDN Settings
Two buttons are available: Add Hostname and Configure Zones.
Step 2: Add a Hostname
Click Add Hostname to view your configured aliases. Select the desired alias — the hostname will appear in the eCDN table within minutes (the popup suggests up to 48 hours, but it is usually much faster).
Step 3: Review Hostname Details
The eCDN table displays:
| Column | Description |
|---|---|
| Hostnames | Your configured alias domain |
| DNS CNAME | The record to set with your DNS provider |
| Status | Hostname and SSL certificate status |
| Expires On | SSL certificate expiration date |
| Sites | Associated site |
SSL Configuration
Step 4: Configure SSL
Click Configure Zones (or the settings icon next to a hostname) and navigate to the Crypto tab. Here you can enable or disable TLS 1.3.
Step 5: Add an SSL Certificate
Two options:
Self-Managed Certificate:
- Paste the certificate content
- Provide the corresponding private key
- Select the target hostname
eCDN-Managed Certificate:
- Let eCDN handle certificate management and renewal automatically
For most implementations, the eCDN-managed option reduces operational overhead significantly.
Firewall Configuration
Step 6: Firewall Settings
The Firewall tab allows you to:
- Add trusted IP lists (for whitelisting your own infrastructure)
- Set a security level: Low, Medium, High, or Under Attack
Security levels use visitor IP reputation scoring to determine when to present a challenge. Under Attack mode is a temporary measure for active DDoS situations.
Step 7: Web Application Firewall (WAF)
The WAF tab provides three rulesets:
eCDN Managed Ruleset — Salesforce-managed rules covering common attack patterns. Available actions for detected threats:
- Default, Block, Log, Managed Challenge, JS Challenge, Legacy Captcha
OWASP Managed Ruleset — Industry-standard OWASP rules. Three configurable settings:
- Action — same options as eCDN managed
- Anomaly Score Threshold — Low, Medium, or High (cumulative threat scoring)
- Paranoia Level — PL1 through PL4 (higher levels provide stronger protection but may produce false positives on legitimate traffic)
eCDN Exposed Credentials Check — Checks requests against known leaked credential databases. Same action options as the managed ruleset.
WAF logs are available for the past 7 days — useful for tuning rules and investigating blocked legitimate traffic.
Performance Configuration
Step 8: Speed Optimisation
The Speed tab contains two sections:
Optimisation Settings:
- Early Hints — sends resource-loading instructions before the full server response, reducing perceived load time
- HTTP/3 — enables the QUIC protocol for faster, more secure communication
- HTTP/2 to Origin — enhances performance between eCDN and your origin server
Polish Level (Image Compression):
- Off — no modification
- Basic — reduces file size without quality impact; strips metadata
- Basic + JPEG — lossy compression for JPEG images
- WebP Support — checkbox to also serve WebP format to compatible browsers
For most storefronts, enabling Basic Polish and WebP Support is a safe, meaningful performance improvement with no visible quality degradation.
Custom Error Pages
Step 9: Customisation Settings
The Customise tab allows you to define custom pages for:
- 500-class errors — server-side errors
- 1000-class errors — CDN-level errors
- Under Attack mode page — the page shown to users when the site is in attack protection mode
You can preview defaults and publish custom versions that match your storefront’s design.
Summary
Proper eCDN configuration is one of the highest-impact, lowest-cost performance and security improvements available in SFCC. Hostnames, SSL, WAF rules, firewall policies, and image compression — all configurable through Business Manager, no infrastructure work required. If your implementation has not touched these settings, it is worth an afternoon of configuration time.