[FEATURE] Identify traffic coming from MRT

[johnboxall]

In stacked CDN setups, or when you're calling controllers or OCAPI, it can be useful to identify traffic originating from MRT such that you can configure firewall rules to allow it.

Today, it is possible to identify traffic that likely came from MRT but requires works to guarantee it.

The most straight forward way to provide some level of security is to inspect incoming HTTP requests for the x-mobify: true request header.

This is present in proxy requests:

https://playground-20x-us-west-1.mobify-storefront-staging.com/mobify/proxy/httpbin/headers
https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/proxying-requests.html#request-and-response-modifications

From there, you can also seek to allow only AWS IPs from the EC2 and CLOUDFRONT_ORIGIN_FACING ranges:

https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/mrt-overview.html#constraints

But this is a rather large set!

$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="EC2" or .service=="CLOUDFRONT") | .ip_prefix' | wc -l
1242

If you must identify requests from MRT, you can move requests to the App Server (ssr.js) and use an environment variable to a shared secret HTTP header ... but the App Server isn't optimized for forwarding requests like proxies are.

https://github.com/salesforceCommerceCloud/pwa-kit/compare/example-using-proxy

Ideally, we'd have some way to add a shared secret to out-going requests from MRT.

[johnboxall]

In some scenarios, we've seen the Storefront zone hosted on eCDN block traffic originating from MRT. To resolve, review your eCDN Allow Lists and Security Settings in Business Manager allowing traffic from MRT:

https://help.salesforce.com/s/articleView?id=cc.b2c_waf_application.htm&type=5