Skip to main content

How Bold interacts with your store's security settings

Bold Booster for PayPal makes API calls to communicate with your store and its platform. For this to work, your store must allow sending and receiving information to and from Bold.

This page covers some important security concepts to understand when using Bold Booster for PayPal.

Why stores block traffic

Your store's security systems, such as firewalls and content delivery networks (CDNs), often block traffic they perceive as coming from bots and not from real customers. This configuration can be good for blocking potentially fraudulent transactions, but it can also block traffic from integrations you want to allow.

Because Bold communicates with your store via API calls, your store might block traffic from Bold by default. However, you can alter your security settings so your store can communicate with Bold while still blocking the kinds of traffic you want to block.

Allowlisting

Allowlisting means adding certain traffic sources to your security system's approved list. Doing this ensures your firewall or CDN allows Bold to communicate with your store.

To use Bold Booster for PayPal, you'll need to allowlist 3 types of things:

  • Bold domains—URLs from which Bold makes calls to your store
  • Bold IP addresses—IDs of Bold devices that handle these calls
  • Bold's header—Metadata that comes with a call and shows it comes from Bold

Domains

Calls from Bold come from one of the following domains:

  • https://api.boldcommerce.com
  • https://checkout.boldcommerce.com

IP addresses

Calls from Bold to your store's platform come from a predefined list of IPs. This list contains several addresses, but you won't see calls from all of these all the time.

For the full list of IP addresses you need to allowlist, refer to the installation instructions for your platform:

Headers

Each call from Bold to your store is accompanied by a header that looks like this: User-Agent: Bold-Api.

Not all firewalls or CDNs block traffic based on specific agent strings in call headers. If your system does, update your allowlist to allow (or "skip") traffic where the User-Agent value is Bold-Api.

Updating your allowlist to allow traffic to and from Bold

By updating your security configurations to allow specific types of traffic from Bold, you can ensure Bold works correctly without compromising your store's security.

Exactly how you allowlist Bold's domains, IP addresses, and headers depends on your current security system. Here are some common firewall and CDN providers and links to their documentation:

Find out more about your existing security configurations

If your store is still blocking traffic from Bold despite allowlisting, you might need to dig deeper to identify the cause.

  1. Review your site's traffic logs, searching for any deny or block activities to identify what kinds of traffic are getting blocked and when.
  2. Review your store's firewall rules and check to see if any additional configurations could cause blocked traffic.