Learn about the security features that protect your Shopify store from bots, fraud, and unwanted traffic.
Back to Storefront SentryReal-time visitor evaluation and checkout protection that instantly identifies and blocks threats before they can interact with your store. Cryptographic tokens ensure only legitimate customers who've actually browsed your store can complete purchases, blocking headless bot scripts that bypass your storefront entirely.
Edge Signal Collection
Every visitor is evaluated at the Cloudflare edge across 300+ global points of presence. Multiple device, network, and behavioral signals are collected in real-time to establish session legitimacy.
Risk Scoring Engine
Signals are processed through a multi-layered policy engine that evaluates threat indicators against merchant-configured rules. Traffic is classified as trusted, suspicious, or high-risk based on composite scoring.
Cryptographic Attestation
Trusted sessions receive a time-bound, session-bound cryptographic token minted at the edge. Tokens are automatically refreshed as visitors browse and expire when sessions end or risk profiles change.
Checkout Enforcement
At checkout, Shopify validates the session attestation. Traffic lacking valid credentials is intercepted before reaching payment processors. Merchant-configurable responses include silent blocking, redirection, or challenge workflows.
Zero Friction Architecture: Legitimate customers never interact with the security layer. All evaluation happens transparently during normal browsing with sub-millisecond latency at the edge.
Automatically detect and block visitors using VPN services, datacenter IPs, and anonymous proxies. Fraudsters use these tools to mask their location and bypass regional restrictions.
Network Attribution
Every connection is analyzed at the edge to determine its network origin. The system distinguishes between residential ISP traffic, commercial VPN networks, hosting provider ranges, and anonymization services through multi-source intelligence feeds.
Policy Classification
Merchant-defined policies determine how different network types are handled. Strict mode targets known anonymization infrastructure, while expanded policies can include broader hosting and datacenter ranges commonly used by bot networks.
Real-time Gatekeeping
Blocked connections are intercepted at the network perimeter before any store session initialization occurs. The system returns appropriate responses that prevent store access while minimizing false positives through configurable exemptions.
Adaptive Enforcement
Depending on merchant configuration, blocked visitors are either redirected to informational pages or placed in a restricted browsing mode that allows product viewing while preventing cart activity and checkout progression.
Perimeter Architecture: All detection executes at the Cloudflare edge in sub-millisecond time. Suspicious traffic is filtered before consuming Shopify origin resources, reducing bandwidth costs and server load while maintaining storefront performance for legitimate visitors.
Geolocation Resolution
Each connection is automatically geolocated using Cloudflare's distributed edge network across 300+ global points of presence. Country and regional identifiers are resolved with high accuracy without impacting request latency.
Territorial Policy Matching
Merchant-defined territorial restrictions are evaluated against each visitor's resolved location. The system supports country-level exclusions, regional groupings, and compliance-oriented blocklists for regulatory requirements.
Perimeter Enforcement
Territorial blocks are enforced at the network edge before any store session initialization occurs. Blocked visitors receive appropriate responses based on merchant configuration without generating Shopify backend traffic.
Flexible Response Modes
Merchants configure response behavior per restriction: redirect visitors to custom informational pages, or enable restricted browsing that allows catalog viewing while silently preventing cart activity and checkout progression.
Compliance Ready: Supports regulatory frameworks including OFAC, EU sanctions, and UN embargo lists. Territorial enforcement executes before any Shopify session or customer data creation, preventing compliance violations at the outermost network perimeter.
Control access to your store based on visitor location. Block specific countries or entire regions with a few clicks. Perfect for compliance, fraud prevention, and operational efficiency.
Block visitors arriving from Tor exit nodes. The Tor network is frequently used by fraudsters, card testers, and malicious actors to hide their identity while attacking e-commerce sites.
Exit Infrastructure Intelligence
The system maintains real-time awareness of anonymization network exit points through continuous ingestion of authoritative threat intelligence feeds. IPv4 and IPv6 exit ranges are processed into optimized lookup structures for sub-millisecond matching.
Multi-Layer Caching
Intelligence data is cached at multiple layers to optimize performance while maintaining freshness. The system automatically refreshes exit node lists at regular intervals to ensure newly deployed anonymization infrastructure is detected without manual intervention.
Connection Attribution
Every incoming connection is checked against the current exit infrastructure database at the edge. Matches are flagged immediately, with no external lookups required in the critical path, ensuring detection latency remains under a millisecond.
Tier-Aware Enforcement
When anonymization traffic is detected and merchant policies are active, the system applies appropriate blocking responses. Tier-based usage limits ensure fair resource distribution while maintaining protection quality across all customer levels.
Self-Updating Intelligence: Exit node lists refresh automatically from upstream sources at configurable intervals. New anonymization relays are detected and blocked without requiring merchant action or system redeployment, maintaining protection against evolving infrastructure.
Multi-Factor Verification
Crawler identification combines network-level attribution with behavioral fingerprinting. Major search engines are recognized through proprietary verification methods, while secondary crawlers require strict multi-signal validation to prevent spoofing attempts.
Intelligent Bypass Logic
When the failsafe is enabled and verified crawler traffic is detected, the system automatically overrides any network-level blocking policies that would normally apply. The traffic is reclassified as legitimate and granted standard access privileges.
Uninterrupted Access
Bypassed crawler sessions receive full system access, allowing indexing of product catalogs, validation of structured data, and rendering of previews without triggering security layers or generating false positive analytics.
Audit Integration
All bypass events are logged with distinctive markers, enabling merchant visibility into crawler access patterns and supporting security audits. Analytics distinguish between normal visitor traffic and verified crawler bypasses for accurate reporting.
Comprehensive Crawler Support: Covers all major search engines, SEO platforms, social media crawlers, and commerce intelligence tools. Network attribution parameters are environment-configurable, allowing rapid response to infrastructure changes without code deployment.
Ensure legitimate SEO crawlers can always access your store, even when strict blocking rules are active. Protect your search rankings while maintaining security.
Enterprise-grade event tracking with durable deduplication. Know exactly what's being blocked and why, with precise counting guarantees that satisfy compliance and audit requirements.
Correlated Event Collection
Each visitor interaction is tagged with unique session identifiers and sequence markers. This enables precise correlation across page loads, redirects, and browser reloads to maintain accurate event attribution.
Durable Deduplication
Blocked events use persistent storage-backed deduplication with time-bucketed composite keys. This guarantees exactly-once counting for security events even when clients retry or network conditions cause duplicate submissions.
Granular Rollup Aggregation
Daily summary tables aggregate events by type, source, and outcome. The system maintains separate counters for different block categories, checkout validation events, and successful sessions for comprehensive visibility.
Dashboard & Export
Real-time analytics APIs serve merchant dashboards with current and historical data. CSV export support enables integration with external business intelligence tools and compliance reporting workflows.
Time-Series Rollups: Daily aggregated counters optimized for dashboard queries
Dedupe Storage: Persistent key-value tracking for event uniqueness guarantees
Debug Telemetry: Optional correlation IDs and attribution data for incident investigation