SFCC Development MCP Server

security-patterns.mdc•13.3 KiB

--- description: SFCC security best practices and validation patterns alwaysApply: true --- # SFCC Security Best Practices Use this rule when implementing security-sensitive features or validating user input. ## Mandatory MCP Tools Sequence **BEFORE implementing ANY security-sensitive code:** 1. `mcp_sfcc-dev_search_best_practices` with query: "security" 2. `mcp_sfcc-dev_get_best_practice_guide` with guideName: "security" 3. `mcp_sfcc-dev_search_best_practices` with query: "validation" 4. `mcp_sfcc-dev_search_sfcc_classes` with query: relevant security domains ## MCP-Guided Security Development Process ### Step 1: Get Security Best Practices ``` Use: mcp_sfcc-dev_search_best_practices with query: "security" Use: mcp_sfcc-dev_get_best_practice_guide with guideName: "security" Purpose: Get comprehensive security guidelines, validation patterns, and threat mitigation strategies ``` ### Step 2: Input Validation Patterns ``` Use: mcp_sfcc-dev_search_best_practices with query: "validation" Purpose: Get input validation, sanitization, and XSS prevention patterns ``` ### Step 3: SFCC Security API Research ``` Use: mcp_sfcc-dev_search_sfcc_classes with query: [security domain] Use: mcp_sfcc-dev_get_sfcc_class_info with className: [security-related classes] Purpose: Understand available SFCC security APIs and encryption methods ``` ## MCP-Enhanced Input Validation Template ```javascript 'use strict'; /** * Input Validation Utilities * Implementation based on: * - mcp_sfcc-dev_search_best_practices with query: "security" * - mcp_sfcc-dev_get_best_practice_guide with guideName: "security" */ var StringUtils = require('dw/util/StringUtils'); var Logger = require('dw/system/Logger').getLogger('security', 'InputValidation'); /** * Validate and sanitize user input * Security patterns from MCP security best practices * @param {string} input - User provided input * @param {string} type - Expected input type (email, phone, text, etc.) * @param {Object} options - Validation options * @returns {Object} Validation result */ function validateInput(input, type, options) { options = options || {}; try { // Basic type validation (from MCP security guide) if (!input || typeof input !== 'string') { return { valid: false, error: 'Invalid input type', code: 'INVALID_TYPE' }; } // Length validation (security pattern from MCP) var maxLength = options.maxLength || 1000; if (input.length > maxLength) { Logger.warn('Input length exceeded limit: {0} > {1}', input.length, maxLength); return { valid: false, error: 'Input too long', code: 'LENGTH_EXCEEDED' }; } // Empty input handling (from MCP validation patterns) if (input.trim().length === 0) { return { valid: false, error: 'Input cannot be empty', code: 'EMPTY_INPUT' }; } // Sanitize for XSS (critical security pattern from MCP) var sanitized = StringUtils.stringToHtml(input); // Type-specific validation (patterns from MCP security guide) switch (type) { case 'email': var emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; if (!emailRegex.test(input)) { return { valid: false, error: 'Invalid email format', code: 'INVALID_EMAIL' }; } break; case 'phone': var phoneRegex = /^\+?[\d\s\-]+$/; if (!phoneRegex.test(input)) { return { valid: false, error: 'Invalid phone format', code: 'INVALID_PHONE' }; } break; case 'alphanumeric': var alphaNumRegex = /^[a-zA-Z0-9]+$/; if (!alphaNumRegex.test(input)) { return { valid: false, error: 'Only alphanumeric characters allowed', code: 'INVALID_ALPHANUMERIC' }; } break; case 'customerNo': // Customer number validation (SFCC-specific pattern from MCP) var customerNoRegex = /^[a-zA-Z0-9\-_]+$/; if (!customerNoRegex.test(input) || input.length > 50) { return { valid: false, error: 'Invalid customer number format', code: 'INVALID_CUSTOMER_NO' }; } break; case 'productId': // Product ID validation (SFCC-specific pattern from MCP) var productIdRegex = /^[a-zA-Z0-9\-_\.]+$/; if (!productIdRegex.test(input) || input.length > 100) { return { valid: false, error: 'Invalid product ID format', code: 'INVALID_PRODUCT_ID' }; } break; } // Additional security checks (from MCP security patterns) if (containsSuspiciousPatterns(input)) { Logger.warn('Suspicious input pattern detected: {0}', input.substring(0, 50) + '...'); return { valid: false, error: 'Input contains invalid patterns', code: 'SUSPICIOUS_INPUT' }; } return { valid: true, sanitized: sanitized, original: input }; } catch (e) { Logger.error('Error during input validation: {0}', e.message); return { valid: false, error: 'Validation error', code: 'VALIDATION_ERROR' }; } } /** * Check for suspicious patterns that could indicate attacks * Security patterns from MCP security guide */ function containsSuspiciousPatterns(input) { var suspiciousPatterns = [ /<script/i, // XSS attempt /javascript:/i, // JavaScript protocol /on\w+\s*=/i, // Event handlers /eval\s*\(/i, // Code execution /expression\s*\(/i, // CSS expression /'.*OR.*'/i, // SQL injection /UNION.*SELECT/i, // SQL injection /DROP.*TABLE/i, // SQL injection /--/, // SQL comment /\/\*/, // Multi-line comment /\.\.\//, // Path traversal /%2e%2e%2f/i, // Encoded path traversal /\x00/, // Null byte ]; return suspiciousPatterns.some(function(pattern) { return pattern.test(input); }); } module.exports.validateInput = validateInput; module.exports.containsSuspiciousPatterns = containsSuspiciousPatterns; ``` ## MCP-Enhanced Authentication Patterns ```javascript 'use strict'; /** * Authentication and Authorization Utilities * Implementation based on MCP security best practices */ var Logger = require('dw/system/Logger').getLogger('security', 'Authentication'); /** * Check customer authentication with comprehensive logging * Security pattern from MCP security guide */ function validateCustomerAuthentication(req, res, options) { options = options || {}; try { var customer = req.currentCustomer; // Basic authentication check (from MCP security patterns) if (!customer || !customer.authenticated) { Logger.warn('Unauthenticated access attempt to protected resource: {0}', req.httpURL); if (options.returnJson) { res.setStatusCode(401); res.json({ error: 'AUTHENTICATION_REQUIRED', message: 'Authentication required' }); } else { res.setStatusCode(401); res.render('error/unauthorized'); } return false; } // Additional security checks (from MCP security guide) if (options.requireActiveCustomer && !customer.profile) { Logger.warn('Customer authenticated but no profile found: {0}', customer.ID); if (options.returnJson) { res.setStatusCode(403); res.json({ error: 'INVALID_CUSTOMER_STATE', message: 'Customer profile required' }); } else { res.setStatusCode(403); res.render('error/forbidden'); } return false; } // Log successful authentication (for security auditing) Logger.debug('Customer authentication validated: {0}', customer.profile ? customer.profile.customerNo : customer.ID); return true; } catch (e) { Logger.error('Error during authentication validation: {0}', e.message); if (options.returnJson) { res.setStatusCode(500); res.json({ error: 'AUTHENTICATION_ERROR', message: 'Authentication validation failed' }); } else { res.setStatusCode(500); res.render('error/servererror'); } return false; } } /** * Check specific permissions for authenticated customers * Authorization pattern from MCP security guide */ function checkCustomerPermissions(customer, requiredPermissions) { if (!customer || !customer.authenticated || !customer.profile) { return { authorized: false, error: 'Customer not authenticated' }; } // Implement permission checking logic based on your business requirements // This is a template - customize based on your permission system if (requiredPermissions && requiredPermissions.length > 0) { // Check customer groups, custom attributes, or other permission mechanisms var hasPermissions = requiredPermissions.every(function(permission) { return checkSinglePermission(customer, permission); }); if (!hasPermissions) { Logger.warn('Customer {0} lacks required permissions: {1}', customer.profile.customerNo, requiredPermissions.join(', ')); return { authorized: false, error: 'Insufficient permissions' }; } } return { authorized: true }; } function checkSinglePermission(customer, permission) { // Implement your specific permission logic here // Examples: customer groups, custom attributes, etc. return true; // Placeholder implementation } module.exports.validateCustomerAuthentication = validateCustomerAuthentication; module.exports.checkCustomerPermissions = checkCustomerPermissions; ``` ## Security Checklist (MCP-Verified) Before implementing security features, verify with MCP: - [ ] `mcp_sfcc-dev_search_best_practices` with query: "security" - Get security patterns - [ ] `mcp_sfcc-dev_get_best_practice_guide` with guideName: "security" - Comprehensive guide - [ ] `mcp_sfcc-dev_search_best_practices` with query: "validation" - Input validation patterns Implementation verification: - [ ] Validate all user inputs with type-specific validation - [ ] Sanitize data before rendering in templates - [ ] Use CSRF protection for forms - [ ] Implement proper authentication checks - [ ] Avoid exposing sensitive data in errors - [ ] Use HTTPS for all sensitive operations - [ ] Validate file uploads and restrict types - [ ] Implement rate limiting for APIs - [ ] Use secure session management - [ ] Log security events appropriately ## Common Security Anti-Patterns (from MCP Security Guide) ```javascript // DON'T: Direct parameter access without validation (security vulnerability) var userInput = request.httpParameterMap.parameter.value; response.getWriter().print(userInput); // XSS vulnerability // DO: Validate and sanitize (pattern from MCP security guide) var userInput = request.httpParameterMap.parameter.value; var validation = validateInput(userInput, 'text'); if (validation.valid) { response.getWriter().print(validation.sanitized); } else { Logger.warn('Invalid input rejected: {0}', validation.error); response.getWriter().print('Invalid input provided'); } // DON'T: Expose system errors to users (information disclosure) try { // Operation } catch (e) { response.getWriter().print('Database error: ' + e.message); // Exposes system info } // DO: Log errors securely and return generic messages (MCP security pattern) try { // Operation } catch (e) { Logger.error('Database operation failed: {0}', e.message); response.getWriter().print('An error occurred. Please try again later.'); } ``` ## CSRF Protection Pattern (from MCP Security Guide) ```javascript // Controller implementation with CSRF protection var csrfProtection = require('*/cartridge/scripts/middleware/csrf'); // Route to display the form with CSRF token server.get('ShowForm', csrfProtection.generateToken, function (req, res, next) { res.render('myFormTemplate', { csrf: res.getViewData().csrf // Pass token to template }); next(); }); // Route to handle the submission with CSRF validation server.post('SubmitForm', csrfProtection.validateRequest, function (req, res, next) { // If execution reaches here, the token was valid var formData = req.form; var validation = validateInput(formData.userInput, 'text'); if (!validation.valid) { res.json({ success: false, error: validation.error }); return next(); } // Process validated data res.json({ success: true }); next(); }); ``` ## NEVER Implement Security Without MCP - ❌ Don't implement validation without patterns - use `mcp_sfcc-dev_search_best_practices` - ❌ Don't skip input sanitization - use MCP XSS prevention patterns - ❌ Don't expose system errors - follow MCP error handling guide - ❌ Don't implement authentication without consulting MCP security guide - ❌ Don't assume security APIs - use `mcp_sfcc-dev_search_sfcc_classes`

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/taurgis/sfcc-dev-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

security-patterns.mdc•13.3 KiB