Storefront Password Protection and Login

While your storefront is in the development or testing stages, you don't want potential consumers to find it through a search engine. You can restrict access to your Development, Staging, and Production instances to merchants and other people involved in the project, thereby protecting it from crawlers and search engine robots, so that the instance can't be indexed and made available to search engines. Both dynamic content, such as pages, and static content, such as images, are protected.

The Business Manager user interface enables you to configure a storefront password that requires the authentication of users trying to access the storefront. This feature blocks access to both dynamic pages and static pages. An HTTP response 403 (Access Forbidden) is returned if a site is storefront protected and the storefront user has not provided the appropriate credentials.

When a customer or user tries to access a storefront that is in the development stage and has password protection enabled, an Authentication Required window opens. See Setting Protection Flags and Assigning Passwords to learn how to enable or disable storefront password protection.

Business Manager users with the functional permission Access_Protected_Storefront can always log onto the storefront. To let other users access the Storefront, you can create a shared username and password. The default username is storefront and the default password is preview123 ( to be entered for a authentication request). The storefront administrator sets the flag and password through Business Manager.

Note: When activating the storefront protection, the static content cache must be invalidated to enforce protection of static content, otherwise any unprotected content that was already delivered is valid until it expires. If the password is changed, the static content cache must be invalidated to enforce the usage of the new password, otherwise the once delivered content is served until it expires.

When a storefront customer forgets their password and asks for a reset, the password reset token expiration period is 30 minutes.

Note: The password reset token expiration period for Business Manager users is 120 minutes.

Storefront Default Password

The default requirements for storefront passwords (managed via customerlists) is as follows:


Sites with customerlists created prior to Release 17.5 retain the previous defaults if the settings were not configured, as follows:

  • Minimum password length: 1
  • Minimum number of special characters: 0
  • Must contain letters: false
  • Multiple letters must be of mixed case: false
  • Must contain numbers: false

If these settings were configured prior to Release 17.5, the existing settings are retained.


the API enables you to perform password checks and obtain the constraints for display to the customer, as follows:

boolean : dw.customer.CustomerMgr.isAcceptablePassword(String password)
 dw.customer.CustomerPasswordConstraints :

Related Links

Roles and Permissions