Improvements to the SAP Commerce Cloud Platform

Over the past year, there have been a few improvements in how we deal with brute force attacks. It’s now possible to disable the login for the admin user, as part of brute force attack prevention. This capability improves security by ensuring that admin privileges aren’t used by potential attackers. Ensure that you’ve created at least one other admin user that is part of the admingroup so that the admin privileges aren’t lost completely after disabling an admin user.

Once a user has been disabled after too many unsuccessful login attempts, such as in a brute force attack scenario, user accounts and OAuth clients can now be automatically unlocked. Unlocking accounts after a configurable period allows valid users to log in eventually, while slowing down attackers who attempt to probe passwords.

For more information on automatic unlocking, see Automatic Unlocking of Locked User Accounts and OAuth Clients.

The /applyVoucher OCC API now uses customers’ real IP addresses for brute force protection instead of proxy addresses. This prevents users behind shared proxies from unintentionally sharing coupon application limits and improves the accuracy of per-IP rate limiting.

Sensitive string attributes secured by Transparent Attribute Encryption (TAE) now have enhanced protection against data tampering. You can disable the TAE plaintext fallback to mitigate the risk of the system accepting potentially compromised plaintext values. Also, plaintext-based initialization has been removed from the creation of anonymous and admin users. For more information, follow this link.

In terms of managing passwords themselves, you can now activate fallback password quality checks to ensure that user passwords meet quality requirements, such as length and used characters, even if these requirements have not been set at a user group level.

To further enhance security, in the default configuration, all users across all user groups are now automatically prevented from reusing old passwords. New passwords entered by users are now checked against their historical passwords to ensure that previously used credentials aren't reused. For more information on configuring default behavior, please refer to this link.

Further, you can now configure a password expiration policy for internal user groups to enhance security, either based on inactivity (no login for a certain number of days) or fixed validity periods. After the configured period, affected users are blocked from logging in until they reset their password.

All permission assignments where permissions are granted, removed, or denied are now logged in audit logging. For more information on permission assignments, see Access Rights.

The change logging for Backoffice configuration now tracks changes to widgets and cockpit configurations, storing detailed logs as media items in Media Storage. Authorized users (for example, admins) can download and compare these change records. A data-retention policy periodically removes expired histories.

The enhanced cart removal cronjob now deletes expired saved carts, ensuring outdated carts don't clutter user sessions.

To improve performance, it's now possible to globally disable FlexibleSearch restrictions defined for individual users, keeping only user group restrictions instead, or further disable them for users in selected user groups.

Since FlexibleSearch restrictions are usually defined for user groups, disabling individual user restrictions doesn't affect query results, but it improves performance by reducing the number of required database calls.