E-commerce architecture guide
E-commerce Edge Architecture: Fast Catalog, Safe Checkout and Bot Defense
Classify public catalog, customer state, and transaction-critical traffic before optimising it. The fastest response is not a success when it leaks entitlement or confirms the wrong order.
On this page
An ecommerce edge is not a “cache everything” setting. It is three distinct traffic contracts: public catalog representations, private account and cart state, and transaction-critical checkout. The edge can cache, filter, and protect capacity; the application remains authoritative for identity, price, inventory, eligibility, payment, and order commitment.
Overview
Outcome
Define route-level cache, origin, and abuse-control contracts that make public pages reusable while preserving private state and safe order decisions during normal traffic and peaks.
Design three traffic planes
- Public catalog
Cache public product, category, editorial, and versioned asset representations.
- Account and cart
Keep identity, loyalty, addresses, and cart state private and origin-authorised.
- Checkout
Validate price, stock, fraud, tax, payment, and idempotency at commitment time.
Public content can stop at the edge; customer state and order commitment always retain an application-owned correctness boundary.
Write a cache contract before choosing a TTL
RFC 9111 makes shared-cache behaviour dependent on response directives and variation. Document each route's representation dimensions, cache key, freshness, invalidation owner, stale policy, and negative test. no-cache permits storage but requires validation before reuse; no-store prohibits storage and reuse.
| Response class | Shared-cache policy | Correctness rule |
|---|---|---|
| Versioned assets | Public, long-lived, versioned URL | A changed asset receives a new URL. |
| Public product page | Public only for equivalent locale, market, and channel output | Key includes every permitted variation. |
| Account or cart | private, no-store | Application authorises every object request. |
| Checkout and confirmation | private, no-store | Recheck price, inventory, payment, and idempotency. |
route: /products/{slug}
audience: public
cache_key: path + locale + market
freshness: business-approved
origin_rule: revalidate price and inventory at order commit
negative_test: authenticated response never enters shared cacheProtect origin and checkout separately
Keep the origin private where possible, restrict it to the edge path, authenticate edge-to-origin traffic, and test direct-origin rejection. Treat checkout as a payment-page security boundary: PCI DSS requirements that apply to an ecommerce environment include authorised payment-page scripts, script integrity, inventory, and change/tamper detection. A CDN or WAF does not replace application authorisation.
Defend against bots by business flow
Credential stuffing, carding, scraping, inventory denial, and denial of service have different signals and harms. Apply limits by account, session, route, device or network context, and business object, not IP alone. Use graduated controls: observe, throttle, challenge, require step-up authentication, then restrict confirmed abuse. Preserve an accessible recovery path and generic login failures to prevent account enumeration.
Prepare the peak-event failure paths
Test warm and cold cache states, promotion start, inventory depletion, origin slowdown, payment degradation, bot surge, purge, and rollback. Monitor cache outcome, origin fetches, latency, WAF/rate actions, login outcomes, and checkout success as separate signals. A high cache-hit ratio cannot prove that private state is safe or checkout is correct.
Troubleshooting
E-commerce edge anti-patterns
- Caching by full cookie header or caching authenticated HTML without a reviewed isolation design.
- Serving stale cart, payment, inventory reservation, or order-confirmation state.
- Treating CAPTCHA, IP reputation, or a bot score as the only account-takeover control.
- Allowing direct public origin access because the storefront is normally behind a CDN.
Related guides
- Account Takeover Defense at the Edge
- Client-Side Script and Magecart Protection
- Peak Traffic Readiness
Authoritative references
- RFC 9111: HTTP Caching
- OWASP Credential Stuffing Prevention Cheat Sheet
- OWASP API4: Unrestricted Resource Consumption
- PCI SSC: Payment Page Security and Preventing E-Skimming
- CISA: Preventing Web Application Access Control Abuse
Review the delivery path before the next peak
Optimi can help align cache contracts, origin protection, bot controls, and evidence around the ecommerce journeys that matter.
Assess ecommerce delivery