Storefront Password Protection and Login

To prevent shoppers from finding your storefront during development and testing, restrict access. Limit storefront access to merchants and other people involved in the project. This limit prevents crawlers and search engine robots from indexing your storefront and making it available to search engines. Both dynamic content, such as pages, and static content, such as images, are protected.

Configure a storefront password on Business Manager that requires authentication of users trying to access the storefront. This feature blocks access to both dynamic pages and static pages. If a site is storefront protected and the storefront user hasn't provided the appropriate credentials, an HTTP response 403 (Access Forbidden) is returned.

When a shopper or user tries to access a storefront that is in the development stage and has password protection enabled, an Authentication Required window opens. See Setting Protection Flags and Assigning Passwords to learn how to enable or disable storefront password protection.

Business Manager users with the functional permission Access_Protected_Storefront can always log on to the storefront. To let other users access the Storefront, create a shared login. The default username is storefront, though you must assign your own password ( to be entered for an authentication request). The storefront administrator sets the flag and password through Business Manager.

Note: When activating the storefront protection, invalidate the static content cache to enforce protection of static content. Otherwise any unprotected content that was already delivered is valid until it expires. If the password changes, invalidate the static content cache to enforce the usage of the new password. Otherwise the delivered content is served until it expires.

When a shopper forgets their password and asks for a reset, the password reset token expiration period is 30 minutes.

Note: The password reset token expiration period for Business Manager users is 120 minutes.

Storefront Default Password Requirements

The default requirements for storefront passwords (managed via customerlists) are as follows:


Sites with customerlists created before Release 17.5 retain the previous defaults if the settings were not configured, as follows:

  • Minimum password length: 1
  • Minimum number of special characters: 0
  • Must contain letters: false
  • Multiple letters must be of mixed case: false
  • Must contain numbers: false

If these settings were configured before Release 17.5, the existing settings are retained.


The API enables you to perform password checks and obtain the constraints for display to the customer, as follows:

boolean : dw.customer.CustomerMgr.isAcceptablePassword(String password)
 dw.customer.CustomerPasswordConstraints :
X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.