Practical Tips to Improve your eCommerce Website Performance and Security
•Download as PPTX, PDF•
2 likes•673 views
Practically every modern retailer has an online presence where their products and services can be purchased by new and returning customers. The average consumer practically expects it, and they often want the shopping experience to be smooth, easy and secure. Whether you’re just now beginning to expand your online retail presence, or have a more established site that you want to increase conversions on, view this presentation to learn the following: - Common pitfalls and shortcomings in many online retail sites - Guidance on protecting your site against fraudulent attacks - Tips to increase your site reliability and performance - How Cloudflare can help you
Recommended
Recommended
More Related Content
More from Cloudflare
More from Cloudflare (20)
Recently uploaded
Recently uploaded (20)
Practical Tips to Improve your eCommerce Website Performance and Security
- 1. Practical Tips to Improve your eCommerce Website Performance and Security
- 2. Speakers Derek Yee Product Marketing Lead, Performance Solutions Tim Fong Product Marketing Lead, Security Solutions Austin Davies Site Reliability Engineer, AO.com
- 3. 2010 Launched at Techcrunch disrupt 700+ employees and counting 9 Offices San Francisco // London // Singapore // Austin // Miami Washington D.C. // Champaign // Boston // New York Cloudflare at a glance
- 4. The Cloudflare Advantage Integrated Performance, Security, and Reliability 9.5 M domains and routing traffic for 2.5 Data Centers with 15 Tbps capacity 150+ HTTP Internet traffic 10% All DNS queries 38%& SCALE INTEGRATED STACK EASY FINE- GRAINED CONTROL Global Data Center Anycast Network China Network WAF/Firewall DDoS Content Optimization Load Balancing Rate Limiting DNS Argo Workers Latest Web Standards TLSSpectrum Mobile SDK Access CDN Stream
- 6. eCommerce News Events Amazon $90 million lost in a concentrated 75 minute outage Adidas Millions of contact information, usernames and encrypted passwords leaked Macy’s Personal information and credit card information potentially exposed to a third party
- 7. Securing your online presence
- 8. Factors increasing exposure to security risks Greater scrutiny by government and media around data, privacy and security Greater attack surface area from more public APIs, moving to the cloud, and increasing third-party integrations Stronger and more sophisticated attackers
- 9. Customers’ Security Threats SYSTEM DDoS Attack Attack traffic impacts availability or performance Vulnerable Applications and APIs Multi-vector attacks that exploit vulnerabilities Webpage
- 10. Volumetric DNS Flood Bots DNS Server DNS Server Server Amplification (Layer 3 & 4) HTTP Flood (Layer 7) 1 2 Bots 3 Bots Degrades availability and performance of applications, websites, and APIs HTTP Application Application/Login Types of DDoS Attack Traffic
- 11. Application and API Vulnerabilities Fake Website Visitors 1DNS Spoofing Malicious Payload eg: SQLi that ex-filtrates PII and credentials 3 Attacker Bots Brute Force 4 Data Snooping 2
- 12. Building faster websites and apps
- 13. Customers’ Performance Challenges INFRASTRUCTURE Unavailable Applications Overloaded or unavailable infrastructure stops users from accessing applications Slow Internet Applications and API Heavy pages and long distances from the origin slow down Internet applications and APIs Internet Application Mobile Slow Mobile Sites and Apps Mobile clients introduce performance and content delivery constraints that hurt user experience Users
- 14. Slow Web Pages, Applications, and APIs Business, customers, and users are more globally distributed, requiring content to travel longer distances Origin Heavier pages from more and bigger assets like images and javascript take longer to load More interactivity and personalization require more trips to the origin
- 15. Slow Mobile Sites and Apps Origin Mobile devices have limited compute, memory and power which slows down processing content like images or client-side code Mobile apps use APIs which increase calls to the origin Mobile devices have slower and more erratic networks which hurts throughput
- 16. Overloaded or Unavailable Infrastructure Applications or individual origin servers experience unexpected downtime and hard-to-troubleshoot outages, which prevent user access Traffic, both expected and unexpected, exceeds capacity of the origin server or data center, making them unavailable or less performant Manual disaster recovery and in- house load-balancing exposes applications to downtime while increasing maintenance and operational costs Primary Failover
- 18. Multi-layer Protection Deploy rate-limiting on Cloudflare and build it into our software. Never rely on a single point of protection. Network-Access Based Locking down systems to particular networks using Cloudflare URL lockdown rules and only provide access to what is needed - the principle of least privilege. HTTPS Everywhere Ensure that all customer facing systems communicate over HTTPS at the application level. Web App Firewall Enabled WAF on all of our sites - we're a common target for scraping since we advertise prices on our sites, utilise the WAF not only for protection but also to stop fake bots from scraping our sites. Security Best Practices
- 19. Cache Everything With Cloudflare we specify what we don’t want to cache - any new pages added to our site get cached by default. Minification We minify all of our content using Cloudflare Auto Minify. This improves customer download times on mobile, and reduces our bandwidth costs as well. Smart Routing and Tiered Caching The cost of network latency can often be overlooked and it's important that the customer receive the fastest route to our sites. A 50 millisecond win through smart routing is a win that applies to all of your requests. Async Script Loading JavaScript can be deferred and loaded asynchronously (in parallel with each other) - we currently utilise Cloudflare Rocket Loader on 50% of our sites to achieve this technique without having to make changes to our underlying code. Performance Best Practices
- 20. Customer Case Study: de Bijenkorf CHALLENGES • Protection against DDoS attacks • Maintain performance CLOUDFLARE SOLUTION • Automatic DDoS mitigation for layer 3 & 4 attacks • Global CDN KEY RESULT • Peace of mind with a protected, secured app • Prevents significant, six figure revenue loss www.cloudflare.com/case- studies/debijenkorf/ de Bijenkorf is a luxury department store based in the Netherlands dedicated to surprising its customers with exceptional products through an inspiring and unique customer experience. "We were really excited about a single vendor solution with easy setup, easy use, maximum protection, and a very friendly team." Christiaan Mourik Head of Technology
- 21. Customer Case Study: Lenskart www.cloudflare.com/case-studies/lenskart/ Lenskart has sprinted to be India's fastest growing eyewear business “Cloudflare’s Web Application Firewall blocks over 30,000 threats from hitting our website every month,” Barat noted. “We process sensitive customer data, so having Cloudflare as an extra layer of protection to prevent exfiltration of that data brings us peace-of-mind. Plus, with Cloudflare’s DDoS mitigation we know our site won’t experience costly down-time.” Nirbhab Barat CHALLENGES • Protecting Customer Data • Rapid growth meant high notoriety for attack CLOUDFLARE SOLUTION • CDN • WAF KEY RESULTS • Sensitive data protected with 30,000 WAF blocks per month • 72% (8Tb) bandwidth savings with CDN • DDoS mitigation
- 22. Customer Case Study: Touch of Modern CHALLENGES • “We save customer credit cards for reuse, which provides a more convenient shopping experience, but if a customer account got breached, it could result in unauthorized credit card charges, which would be a nightmare for both us and our customers.” CLOUDFLARE SOLUTION • Global CDN with 150+ Data centers • Argo Smart Routing • WAF KEY RESULTS • Sensitive Customer data protected • Estimated 5% increase in conversion with a faster website • 27% faster web presence with Argo Smart Routing www.cloudflare.com/case-studies/touch-of- modern Touch of Modern is a curated commerce destination for the modern man. “We discover the most interesting products in the world,” explained Steven Ou, CTO of Touch of Modern, “and make them available to you at unbeatable prices.” “Cloudflare helps keep us online, provides a faster site experience to our end users, and protects our customers sensitive information.” Steven Ou CTO
- 23. Customer Case Study: NatureBox www.cloudflare.com/case-studies/naturebox/ NatureBox is a leading packaged food provider offering their products through their online store and leading grocers. “We use Cloudflare . . . to cache all of our non- customer specific data, including our entirety of our product catalog, inventory, etc. so that we can deliver those responses to the customer as fast as possible.” Shawn Zeller Principal Architect CHALLENGES • “Having a quick website is very integral to us being able to sell a product online.” • “One of our main API requests for our catalog data was taking on average 20 seconds” CLOUDFLARE SOLUTION • CDN • DNS • Application Security KEY RESULTS • Completely edge cached response to ~ 35 ms response time (17x Improvement) • Single vendor for every solution (DNS, CDN, Security)
- 25. Q&A
Editor's Notes
- Founded in 2010, we have over 700 employees who speak over 41 different languages. We’re Headquartered in San Francisco, and have offices in New York, London, Singapore, as well as regional offices in 4 other cities. From a growth perspective, we have a very strong balance sheet and are continually reinvesting into our products, people, network and research and development.
- https://jira.cfops.it/browse/MRK-5212# Talk Track Cloudflare leads other performance and security providers in addressing each of the three major requirements: Cloudflare works at a global scale with an anycast network of 120+ global data centers serving 10% of all HTTP internet traffic and 38% of all DNS queries to over 2.5 billion visitors on behalf of our 7 million customers. Every Cloudflare data center supports every Cloudflare security and performance product including: dynamic routing, caching, DDoS mitigation, SSL termination, DNS, WAF and more. Even the largest of Cloudflare customers can onboard in under 5 minutes. Cloudflare’s easy to use dashboard, API, and included support make initial configuration and any required changes simple to complete.
- Talk Track: Three factors are leading many of our customers to experience a growing exposure to security threats: Greater attack surface results from three common trends: Applications publishing more public APIs Companies are moving more applications, including production-level workloads, to the cloud Increasing third-party integrations Attackers are stronger. Here are three ways: Greater volume, greater distribution, including IoT devices as sources Greater motivation through success of holding companies for ransom Shifting to harder to detect and block “application” layer attacks A greater attack surface area along with stronger attackers would, alone, be a big concern. But at the same time, there is Greater scrutiny for security incidents: Governments are applying greater scrutiny over privacy and data issues Media reports of breaches and cybersecurity incidents have increased Individual consumers more are educated and aware with high-profile reporting (a combination of #1 and #2) Questions: Do any of these actually sound familiar for your business? Do you believe your exposure is decreasing, increasing or is the same? In what ways? Background Reading - you can build this into your talk track: Companies are facing increased pressures to strengthen their security posture. Three forces contributing to the pressure are: Attack surface area increases from applications exposing more public APIs, the increase in SaaS adoption, and the integration with more third-party applications Attackers are stronger, more sophisticated, and highly motivated Heightened public and government scrutiny of data, privacy, and security Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices online, they are able to wage highly distributed volumetric attacks with greater ease and impact. In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application-layer or "Layer 7" attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact. Attackers are able to monetize their attempts to bring down sites or steal sensitive data, for example, by holding sites for ransom. As a result, because of the successful ransom payouts by their enterprise targets, the attackers are more motivated, organized and pervasive.
- Talk Track: In light of this growing exposure to security risks, what are those primary threats you may encounter? We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting: Site is unavailable because of denial of service attack Customer data is compromised, (e.g. breached or stolen) Increasingly, abusive bot activity For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like. Questions: Which, if any, of these are most important for you? For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why? If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
- Talk Track: This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well. The important take-away is that these attacks are layered. In other words, a DDoS can attack different parts of your infrastructure. Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable Amplification: using a DNS to amplify requests and overload yours server over UDP HTTP Flood: volumetric HTTP attack to bring down the application All of those attacks impacts availability and performance of of websites, applications and API’s. Questions: This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that? Which have you experienced in the past, if any? How did you respond to them if you did?
- Talk Track: When it comes to compromise of sensitive customer data, you may be most familiar with malware. While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft. The take-away for this slide is that attackers can take advantage of different vulnerabilities. DNS Spoofing: visitors are directed to a fake site instead of your site A compromised DNS record, or "poisoned cache," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts. Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. Brute Force: attackers are repeatedly trying credentials to take over an account Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page. Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application. The risk is that sensitive customer data, such as credit card information, might get compromised.
- Talk Track As customer expectations increase, as the importance of mobile rises, and as users globalize faster, these three forces strain application performance. The top three performance concerns resulting from these major shifts are the following: Slow web pages, applications or APIs due to heavier “content” or longer distances to the origin Slow mobile experiences, for both sites accessed over mobile, or native mobile apps Unavailable applications through overloaded infrastructure, congested networks, or unexpected, hard-to-troubleshoot issues with the application itself Let’s look at the some of the underlying causes of these problems: Additional Info Heavier pages and long distances from the origin slow down sites or applications. Higher expectations results in heavier pages. More global user base increases distances from the origin Mobile clients introduce performance and content delivery constraints that hurt user experience: Lower power and memory Poor networks Frequent calls to origin Overloaded or unavailable infrastructure stops users from accessing applications Because of richer interactions and more business transacting online, availability and disaster recovery even more important Questions Which, if any, of these are most important for you? For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why? How geographically distributed is your customer base? Have you run into any performance problems when trying to create richer content or more interactive experiences? Have you seen a shift towards more mobile users? What % of customers are coming from mobile devices? Are mobile users more or less engaged than traditional users? Have you had unplanned outages? How do you handle outages? Do you have an action plan?
- Talk Track Because of the need for richer experiences by users, your application and website pages become heavier, for example, because of more complex css, larger images, or the ever increasing number javascript snippets, whether for business metrics or user interactivity The higher page size increases the amount of data that must travel over the networks. As dynamic content to support personalization and interactivity grows, the number of connections or trips to the origin also increase. For example, an interaction which needs to fetch profile information, or to process inputs from the user around purchase preferences, raises the amount of personalization and interactivity, and, therefore trips to the origin and connections. Each additional trip adds to latency because of the added time to make connections, as well as the greater distances to go to the origin for this dynamic content. And as users, whether customers or internal employees, become more globally dispersed, content must travel longer distances, sometimes on less-reliable networks, which introduces even more latency. Additional Info Heavier pages take longer to load. There are more assets, like images and javascript, which send more bytes The assets, themselves, are heavier -- bigger, full-size images, more complex javascript frameworks, more tracking javascript More assets require more requests More interactivity and personalization requires more trips to the origin. Content is more personalized and pulls from data-store Interactivity sends more requests to the origin Passive data collection back at the origin (?) Move global, faster Customers are further away from origin so content have further distances to travel Global base increases numbers of customers with slower networks Interesting Statistics In an article on Wired, the average size of the website is now 2.3MB, which is larger than a famous computer game called Doom was when it was first released. "The Average Webpage Is Now the Size of the Original Doom", Klint Finley, 4.23.16, Wired https://www.wired.com/2016/04/average-webpage-now-size-original-doom/ "Today’s average webpage, meanwhile, requires users to download about 2.3MB worth of data, according to HTTP Archive, a site that tracks website performance and the technologies they use."
- Talk Track When it comes to customer mobile experience, the same issues we just discussed for web pages, application, or APIs hurt the user experience even more. Mobile clients add latency when decompressing and rendering images, processing client side code, and establishing connections because of less performance CPU, memory, and power compared to desktops. Mobile devices often connect to spottier and lower throughput networks, which increase latency and errors Mobile apps also typically increase the number of API calls needed, which reduces the effectiveness of caching and required requests to travel longer distances to the origin. Additional Info Growth in mobile usage, traffic, and transactions compounds existing performance issues found on desktop. Mobile clients introduce performance and content delivery constraints that hurt user experience. Mobile devices have limited compute, memory and power which slows ability to process content like images or client-side code. Networks are often slower and more erratic: Mobile network operators throttle: https://opensignal.com/blog/2015/06/16/data-throttling-operators-slow-connection-speed/ Mobile networks introduce latency: https://serverfault.com/questions/387627/why-do-mobile-networks-have-high-latencies-how-can-they-be-reduced and https://en.wikipedia.org/wiki/Radio_Resource_Control Mobile customers move from hot spot to hot spot, and tower to tower Mobile apps designed around API requests to origin: Users on mobile devices are often mobile, and can switch between hotspots while using applications. The devices themselves have limited memory, CPU and power which slows down the ability to process content such as image decompression, rendering, or running client-side code, such as javascript The networks for mobile are often spottier than wired connections. Sometimes mobile network operators throttle connection speeds, or in many countries, the network hasn’t been upgraded to accommodate faster transit.
- Talk Track The other primary problem occurs when performance degrades so badly due to network congestion or overloaded infrastructure, that the applications stop becoming available to users altogether. The common causes of unavailability include the following: Applications or individual origin servers experience unexpected downtime and hard-to-troubleshoot outages. Traffic, both good or bad, exceeds capacity of a specific origin server or data center, making them unavailable. Many companies have a manual, error prone disaster recovery and in-house load-balancing, which increases risks of application failure while adding maintenance and operational costs
- Talk Track Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
- Talk Track Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.
- Talk Track Here’s a use case of a mobile app defending itself with a WAF and DDoS attacks.