HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideLegal TermsGitHubNuGetDev CommunitySubmit a ticketLog In


Describes general security aspects in software development and specific considerations when developing solutions for Optimizely Digital Experience Platform (DXP).

Security and privacy are built into the Azure platform, and any feature that Optimizely develops must meet the highest quality standards. This is ensured by various coding guidelines that must be met before the code is considered for inclusion in the platform.

Guidelines include performance considerations, security concerns, and globalization and localization aspects. Optimizely bases much of its platform-related security efforts on the Open Web Application Security Project (OWASP).

The Optimizely platform is tested against:

  • Injection
  • Cross-site scripting (XSS)
  • Broken authentication and session management
  • Insecure direct object references
  • Cross-site request forgery (CSRF)
  • Security misconfiguration
  • Insecure cryptographic storage
  • Failure to restrict URL access
  • Insufficient transport layer protection
  • Unvalidated redirects and forwards

See Security in the Optimizely Content Management System (CMS) Developer Guide.

The following information describes specific security aspects related to DXP.

DDoS protection

DDoS (Distributed Denial of Service) attacks are common and complex, and traditional on-premises solutions cannot handle these. Optimizely DXP offers advanced protection at the network edge through its CDN provider, including UDP and ICMP protocols, DNS amplification, Layer 7 and 3/4, SYN/ACK, and SMURF (see information on the Internet for this terminology).

Microsoft Azure also protects against attacks generated from outside and inside the platform.

Web Application Firewall

Web Application Firewall (WAF) sits in front of web applications to filter out malicious traffic at the application layer (Layer 7 of the Open Systems Interconnection (OSI) Model, including HTTPS and HTTP traffic). A WAF stops attacks at the network edge, protecting your website from common web threats and specialized attacks before they reach your servers.

WAF is included in the Optimizely DXP; see Web Application Firewall for details.

Secure communication

SSL (Secure Sockets Layer)

SSL is commonly used for encrypted integration and communication with other services through REST and web service APIs. Domains in DXP are protected by SSL by default. SSL termination is at the CDN for editorial or administrative views and on the public website. Customized Commerce packages also include SSL termination at the CDN for Commerce Manager.

VPN (Virtual Private Network)

VPN can allow a secure connection to an internal corporate resource. Note that communication is one-way to the on-premises system.

Application environment

Azure Web Apps do not use the traditional version of Microsoft Windows but rather a purpose-built version with a smaller attack surface and reduced vulnerability. Each customer solution uses isolated resources with independent databases and Web Apps.


Optimizely DXP relies on Microsoft's standard approach for Azure anti-malware to provide real-time protection and content scanning.

Service window and patching

DXP uses Azure Web Apps to run Optimizely applications and thus aligns with the Microsoft patch release cycle. Microsoft is responsible for patch management. Optimizely works closely with Microsoft for any edge cases involving patching.

Product updates and upgrades

Optimizely has a continuous release cycle with releases every week. Releases include features and fixes, and you can upgrade your solution at a cadence that makes sense for your business.



You are responsible for installing appropriate software updates to the Optimizely platform in your solution.


Optimizely DXP leverages the Microsoft Azure platform. The underlying infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes.

Penetration testing

Microsoft and their Red Team regularly provide a penetration test to the underlying infrastructure of DXP. The Optimizely platform is also subject to regular penetration tests by customers and partners.

However, any implementation on the Optimizely platform could unexpectedly introduce a security hole. You need to ensure that your solution is thoroughly tested before going live.

You can conduct your tests using tools or security services of your choice, or you can order this service through Optimizely Expert Services.

If you plan to perform your penetration tests, you must notify Optimizely at least 10 business days before the planned testing.

To notify Optimizely about your test, submit a ticket to Optimizely with your test plan including:

  • Test type and approach
  • Contact information for emergency issues
  • Expected start and end times
  • Listing of IP addresses and DNS names from where the tests will originate

Outbound IP addresses

While the outbound IP addresses of a DXP environment can stay static for extended periods, there is no guarantee that they will. They can change anytime, and Optimizely cannot monitor this or proactively inform customers of a potential change.

Optimizely strongly discourages using the outbound IP addresses for security purposes because important site functionality may break at any time when the outbound IP addresses change.

Instead, you should use other methods to secure the traffic, like a certificate, key-based authentication, or a VPN.

Related topics