Enforcer frameworksSalesforce Commerce Cloud Cartridge

SCAPI Protection Considerations

Limitations and options when protecting SCAPI (PWA Kit, Composable Storefront) with the HUMAN cartridge.

When you protect SCAPI (Shopper Commerce API) endpoints—for example, with PWA Kit or Composable Storefront—you should be aware of how B2C Commerce handles request headers and how to ensure HUMAN receives the data it needs.

There are two options to send data to HUMAN:

Contact Salesforce before choosing an approach

The best option depends on your architecture and constraints. You must consult with Salesforce for their recommendation for your setup. Each customer and use case can be different.

  1. Using SCAPI cartridge
  2. Install an Enforcer in front of SCAPI

Option 1: Using SCAPI cartridge

SFCC omits or modifies certain request headers, such as the User-Agent, before the request reaches your cartridge. This means HUMAN may receive requests that do not match your original request. However, HUMAN needs access to the same data on a normal storefront request—including relevant headers and, where applicable, cookies—to evaluate risk correctly. To ensure HUMAN gets the original values, you must explicitly pass the original headers by prefixing each header with c_px-. When passing original request data, you must include at least the following:

Without this data, the Enforcer can’t properly evaluate risk or block possible threats, so sending these are required at minimum. However, we also recommend passing any additional headers you can to improve the Enforcer’s detection.

DataDescription
PX cookiesHUMAN (PerimeterX) cookies from the client (e.g. _px, _pxhd). Required for cookie-based validation and challenge flow.
User-AgentThe original User-Agent header from the client. Used for fingerprinting and bot detection; if altered or missing, scoring is less accurate.
Client IPThe original client IP (e.g. via X-Forwarded-For or your proxy’s header). Used for IP-based signals and geo.

The two ways to do this with the SFCC cartridge are:

  1. Single custom header (SCAPI Custom Header Name)
    Configure the SCAPI Custom Header Name option. In your proxy or client, send the original headers (and, optionally, cookies) in one custom header whose name matches this setting (as a comma-separated or otherwise agreed key-value list). The cartridge will parse that header and use the values for enforcement.

  2. Individual headers with c_px- prefix
    Send each original header you need (e.g. User-Agent, Accept-Language) as a separate request header. Each header name must be prefixed with c_px- (e.g. c_px-user-agent, c_px-accept-language). The platform forwards these to the backend, and the cartridge reads and uses them.

Whichever method you use, pass all original headers (such as User-Agent, Accept, Accept-Language, and any custom headers your frontend sends) so that the Enforcer can score requests accurately.

We recommend passing as many headers as possible beyond just the required ones to improve detection. The more headers you send, the better the detection performance.

Option 2: Install an Enforcer in front of SCAPI

If you prefer not to rely on passing headers through B2C Commerce, you can install the Enforcer on a proxy or CDN (or on your SFCC MRT level). This method protects SCAPI traffic before it reaches the platform, you aren’t dependent on SFCC’s header-forwarding behavior, and enforcement happens with full request visibility.