1 888 99 FLARE | enterprise@cloudflare.com | www.cloudflare.com

Don’t Get Left Behind

Improving Your E-Commerce Site Performance and Security for the Mobile Consumer

2

Executive SummaryMobile is at the tipping point to become the most important channel of e-commerce strategies. The top 25% of

.S. retailers have already gured out how to drive up mobile conversion rates to ta e an overproportional share of the addressable mar et in a race where the winners ta e it all. hey manage to better retain users and attract product views by providing mobile sites and apps which are fast and available. Cloudflare can help to achieve those critical re uirements by providing

• ne of the fastest Content elivery etwor s based on Anycast routing and the ability to cache content physically close to consumers to reduce latency

• Predictable flat rate pricing

• Mobile Image and code optimi ation as well as support for IPv to reduce latency for mobile devices

• Protection against layer and S attac s and layer application vulnerabilities to increase uptime

• Encryption done right with high performance

Setting up Cloudflare to get access to those capabilities is a ma or step forward for e-commerce vendors to proactively eep their sites fast and safe all year round.

Mobile commerce is at a tipping point E-commerce is e citing ith 1 . Y Y growth in 1 and accounting for a whopping of S retail sales growth in 1 it far outpaced bric and mortar retail growth. hat is even more e citing is mobile commerce which is growing even faster. Mobile commerce is now at a tipping point For the rst time ever in 1 in apan and in the the share of mobile e-commerce retail transactions was over and thus larger than des top transactions. In the .S. the mobile share of e-commerce transactions is growing fast at 1 . Y Y. Even though the .S. mobile share of e-commerce transactions is still trailing behind at is it poised to catch up to the leading countries.

he leading uartile of S retailers are already capitali ing on this trend by providing the best mobile sites and apps. hey manage to better retain users and attract product views driving up their conversion rates by up to 9 compared to the average emerging retailer. As a result they are ta ing an overproportional share of the mobile spoil with of their e-commerce sales coming from mobile growing at a breathta ing Y Y.

3

here can be no doubt that mobile commerce has developed into a ey sales and mar eting channel. he retailers providing the best mobile e perience are the winners and will continue to ta e an even more dominant share of the available mar et.

Mobile is critically important for the holiday shopping seasonoliday online shopping Cyber bro e records in 1 with Cyber Monday claiming the title of the heaviest

online spending day in .S. history. Smartphones played a massively important role claiming of the tra c and of the orders. verall for the th uarter smartphone tra c and orders grew at ama ing rates while des top and tablet orders were down and 11 respectively.

he 1 holiday shopping period proves again that the retailers with the best mobile e perience clean the plate. For e ample Ama on grew at for the 1 holiday uarter. In the upcoming holiday season ric and Clic retailers will li ely see more online than in-store tra c ma ing the mobile shopping e perience critical for growth.

The impact of latency and availability on conversion rates hat separates the leaders from the pac he leading e-commerce retailers provide the best mobile sites and

apps to increase their conversion rates. Conversion rates for mobile are still low and they are directly lin ed to mobile site app performance and availability. For e ample the conversion rate for a leading online retailer pea ed at 1.9 with an average page load time of . seconds. nly a one second slower average page load time of . second led to a drop of the conversion rate by .

here are many industry e amples which illustrate the lin between site performance and conversion rate

• Ama on increased revenue by 1 for every 1 ms reduction in site latency

• Yahoo increased tra c by 9 for every ms reduction in site latency

• almart saw a sharp decline in conversion rates as average site load time increased from 1 to seconds

In general oogle reported that site latency of 1 to milliseconds has a measureable impact on consumer behaviour and a site which is slower by milliseconds than a competitor s site will be less often visited.

In addition to latency caused by the sites apps itself istributed enial-of-Service oS attac s can ma e the site entirely unavailable. Cloudflare which has close to 1 of the worldwide internet tra c flowing through its networ s can lter and accurately measure attac s. ver the last year Cloudflare saw the number and intensity of attac s increasing. he largest oS attac on record based on an Internet-of- hings Io botnet pea ed at a whopping 1 bps raising the bar to a new baseline.

5

Attac s are often not one-o events and victims are typically targeted multiple times in a year. According to Cloudflare s e perience anybody - large and small organi ations - can be targeted. Even though many urisdictions have laws under which oS attac s are illegal there are oS-as-a-Service providers o ering subscriptions some starting as low as at - 1 month.

Even Ama on s website 1 illion in retail revenues in 1 went down multiple times in the past for un nown reasons. For e ample in 1 Ama on.com went down for an estimated 1 - minutes costing the company 1.8 - . million in lost sales based on the company s average sales of 11 88 per minute. he cost of downtime to E-commerce vendors might be much higher during the holiday season - Ama on recogni ed of annual revenues during the fourth uarter of 1 - due to the seasonality of the business. ther negative e ects of system downtime include impact to customer satisfaction search engine ran ings and investor relations.

In summary it is critical for m-commerce vendors who want to improve conversion rates especially during the holiday season to provide snappy sites apps which are protected against oS attac s to improve uptime.

Essential technologies for fast and secure mobile sites Cloudflare can help you to accelerate and protect your mobile commerce sites and apps without adding hardware installing software or changing a single line of your code.

he rst step is to use Cloudflare s Content elivery etwor C which is one of the world s largest networ s that powers more than 1 trillion re uests per months. his is nearly 1 percent of all internet re uests for more than . billion people worldwide. Cloudflare s C is consistently ran ed as one of the fastest C s with median response times of ms for the S according to Cede is. Some of its ey capabilities include

Anycast based routing

hile Cloudflare s C wor s with a routing scheme called Anycast most of the internet today still wor s with a mechanism called nicast. nder nicast every node on the networ gets an IP address which is uni ue to it. Routers eep a map of the world s IP addresses to maintain a sense of the shortest path across the various hops to reach the nal destination. owever the nal destination might be somewhere across the continent or in some other place around the world re uiring additional hops which each add latency. nder Anycast the routing scheme used by Cloudflare multiple machines in the C networ share the same IP address allowing routers to send re uests directly to the physically closest server and to reduce latency.

Caching of content

Cloudflare s Anycast networ operates in con unction with caching of content. nce Anycast routed a re uest Cloudflare s Anycast networ operates in con unction with caching of content. nce Anycast routed a re uest to the physically closest server a copy of cached content is available for access on this server. he bene ts of caching are that ob ects can be moved closer to the visitor re uesting them to accelerate delivery and to decrease the load on the origin web server. Cloudflare provides capabilities for automatic caching of static content and with Railgun Cloudflare provides a mechanism to cache dynamic content.

Cloudflare analy es the tra c that passes bac through the servers in the C to nd the static portions of the origin site. hen the static content is cached in the C for a short period of time. ypically of web content is cacheable through automatic caching of static content and the remaining is non-cacheable and must be obtained from the origin web server. Railgun is designed to speed up the delivery of content that cannot be cached so that essentially the entire web becomes cacheable. It wor s by recogni ing that uncacheable web pages do not change very rapidly and the very small di erence in changes between versions of the web pages can be identi ed by Cloudflare s C servers. Cloudflare then compresses the changes with compression rates of up to 99. and sends them across the lin achieving performance improvements of up to . Railgun re uires the installation of a software component on the origin server side.

Argo Smart Routing

hile Cloudflare delivers over 1 of the world s Internet tra c it analy es in real-time the true health and reliability of networ paths. Cloudflare s Argo smart routing algorithm uses this information to route tra c away from connection failures through the fastest paths available while maintaining open secure connections to eliminate latency. Argo smart routing reduces Internet latency on average by an additional and connection errors by .

Load Balancing

Local and global load balancing distributes tra c across servers or datacenters to avoid over-utili ation of servers and downtime which is especially important during seasonal tra c spi es li e holiday shopping events.

ealth chec s with fast failover provides the ability to rapidly route tra c to only healthy servers to improve availability ensuring sites and web resources are running at the times they are needed most.

Image and code optimization

ith Polish Mirage and Auto-Minify Cloudflare provides a one-two-three punch to reduce latency. hose capabilities are especially important for mobile devices which have limited bandwidths.

Polish removes metadata and compresses images to decrease their si e. Polish can be run in Lossless mode which removes the unnecessary bloat from the image header and metadata without removing any image data.

he average le si e is reduced by 1 . Polish can also be run in Lossy mode which in addition to Lossless applies a compression algorithm to suitable images. Images will appear e actly the same as they would have before without any perceptible visual di erence but the average le si es are reduced by 8 . Images ma e up more than of the data that ma es up a typical website.

Mirage manages how images are loaded on mobile devices. It uic ly produces the appearance of a usable page for users to interact with while lling in the rest of the page without disrupting the user e perience.

• Mirage uses La y Loading to prioriti e the loading of the images that are in the viewport i.e. the images that are actually displayed by the browser. It then loads the other images on the page which are not displayed by the browser as they are needed or as there are spare networ resources available.

• Mobile devices re uire smaller images due to their smaller screen si e. Mirage resi es an image at the server

8

to typically as little as 1 of the full-resolution image and sends the reduced-si e image rst. After the page is rendered with the reduced-si ed images they will be replaced by the full-resolution versions. Images start to appear rst as low uality and then come into sharp focus.

• Rather than initiating a new re uest for each image Mirage streams all the images from Cloudflare s networ with a single re uest. his means that even a page with hundreds of images can begin rendering in the browser with as few as two re uests. Even users on slow mobile connections can begin interacting with the page immediately rather than having to wait for all the full-resolution images to load

Auto Minify removes on-the-fly all unnecessary characters i.e. the whitespace from ML avaScript and CSS les saving of a le s si e without changing an of the functionality. Cloudflare implementation of Auto Minify is easily 1 faster than the ne t closest approach.

Support for IPv6

Real ser Monitoring measurements by Faceboo and Lin edin showed that mobile page load times over IPv are well over 1 faster than over IPv for the top- S mobile networ s. hile the roll-out of IPv is a multi-decade activity and is su ering from the perception of being slow around of Android and over of iPhone re uests from the top- S mobile networ s used IPv on dual-stac ed sites as of 1 . Cloudflare has not only o ered full IPv support as well as an IPv -to-IPv gateway since 1 Cloudflare also ma es it one clic simple for customers to enable this service. If the origin server supports IPv then visitors arriving

on an IPv connection will be transported via the protocol end-to-end. If the origin server only supports IPv Cloudflare will accept a visitor over IPv and then seamlessly ma e a re uest to the server over IPv . In addition if an application running on the origin server has a hard re uirement to run on IPv Cloudflare provides Pseudo IPv . his option will whenever a connection is established over IPv add a P header to re uests with a pseudo IPv address.

Flat rate pricing

o be a part of the Internet Cloudflare buys bandwidth nown as transit from a number of di erent providers. Cloudflare buys transit wholesale on the basis of the capacity used in any given month paying for ma imum utili ation for a period of time. hile the rate Cloudflare pays varies dramatically from region to region around the world to eep pricing simple Cloudflare charges customers a flat rate regardless of where the tra c is delivered around the world. nli e some cloud services which bill for individual bits delivered across a networ Cloudflare ma es monthly bills predictable. Cloudflare continues to wor to decrease the transit pricing and increasing peering in order to o er the best possible service at the lowest possible price.

Layer 3 and layer 4 DDOS protection—Anycast network resilience with automatic learning platform

In addition to using Cloudflare s Content elivery etwor C the ne t step is to protect the site apps against malicious attac s to ensure uptime. Cloudflare s advanced oS protection provisioned as a service at the

“As bandwidth costs continue to rise having a CDN like Cloudflare serving images on the edge to users is both cost

effective and reduces latency for our mobile customers”

Chris Smith irector of E-Commerce ig Sporting oods

9

networ edge matches the sophistication and scale of the threats and can be used to mitigate oS attac s of all forms and si es. Cloudflare prevented multiple of the largest S attac s including attac s with more than bps.

Layer and layer S attac s are usually volumetric attac s such as S ampli cation S flood and S SY flood attac s. hile those attac s can overwhelm a typical unicast based networ Cloudflare s

Anycast based networ inherently increases the surface by spreading the attac tra c to each of the more than 1 Cloudflare datacenters and to a diverse set of high bandwidth interconnections with other networ s to simply absorb the attac tra c. In addition Cloudflare provides an automatic learning platform where networ tra c is analy ed in real time to identify anomalous or malicious re uests. nce a new attac is identi ed Cloudflare automatically starts to bloc that attac type for both the particular website and the entire community.

Even from a cost perspective attac s usually don t impact Cloudflare Cloudflare buys signi cant amount of wholesale bandwidth and pays for the higher of the ingress inbound or egress outbound tra c averaged over a month. Since Cloudflare acts as a caching pro y under normal circumstances egress always e ceeds ingress usually by around - . hen there s an attac the two lines get closer together but rarely is an attac large enough to add to Cloudflare s overall bandwidth costs. Cloudflare passes on this bene t to their customers and customers are not being charged for an increase in networ tra c caused by a S attac .

As Cloudflare continues to grow its networ and its community it will get harder and harder to launch an e ective oS attac against any of Cloudflare s users.

Layer 7 DDOS protection—Rate Limiter with IP Reputation Database

Li e Layer and volumetric attac s Layer enial of Service attac s use a high volume of re uests to prevent real users from accessing a website. In layer enial of Service attac s a single IP address ma es many re uests which are similar to the pattern of normal non-malicious tra c and thus they are di cult to protect against.

Cloudflare s ra c Protector currently available through an Early Access Program trac s the number of re uests coming to a site from each IP address and identi es sites which are ma ing too many re uests per minute. nce a suspicious IP address is identi ed tra c from this IP address is presented with an interstitial page for about seconds to perform a series of mathematical challenges. If the re uest fails this challenge ra c Protector downgrades that IP s reputation and tra c from this address will be shown a CAP C A page

with every access attempt.

hen Cloudflare identi es an IP addresses that appears to be ma ing malicious re uests it is stored in the Cloudflare IP Reputation atabase. ased on a threat score a re uest either goes through or the re uest is presented with a CAP C A. If the CAP C A fails and the IP address is identi ed as malicious the re uest is bloc ed at Cloudflare s edge for the entire networ bene ting the entire Cloudflare community.

Layer 7 non-DDOS application vulnerability attacks—Web Application Firewall

Layer application layer attac s are the most complicated and sophisticated types of attac s. y mimic ing normal use of an application they are able to get past most oS mitigation e uipment and vulnerability protection services. Common types of attac include S L in ection and Cross-Site Scripting SS which might allow attac ers to access and temper with customer or any other ind of application data.

Cloudflare addresses those threats via its eb Application Firewall AF . he AF implements the ASP Core Rule Set Cloudflare provided out of bo rules as well as custom rules created by the community customers.

1

A new rule released by Cloudflare will propagate to all Cloudflare server nodes within seconds and the AF itself adds less than 1ms of latency per re uest providing security without any performance ta . his

way Cloudflare has been able to protect their customers against ma or ero- ay vulnerabilities including the Shellshoc vulnerability or the eartbleed ug.

TLS 1.3 and HTTP/2 with Server Push

Encryption is essential to provide a trustworthy shopping e perience but the latest SSL enhancements can be used to do it right and increase performance. ransport Layer Security 1. LS not only removes insecure features of previous LS versions it also reduces latency by cutting the round-trip of the protocol in half. Cloudflare was rst to deploy LS 1. and heavily contributed to the standard. Cloudflare was also rst to deploy P which only wor s with LS. P increases performance especially latency as perceived by the end-user while using a browser. P wor s in combination with Server Push where a server can send resources the client has not yet re uested to accelerate perceived performance even more. LS 1. and P with Server Push are ust two e amples of Cloudflare s e ort to constantly integrate emerging technologies into its networ .

Takeaways

Sign up with Cloudflare to improve the performance of your mobile site and apps while protecting them from S attac s and application vulnerabilities. he set up is easy and usually ta es less than minute to get up

and running. Chec out the plans ranging from free to enterprise at www.cloudflare.com.

To learn more about Cloudflare, please contact us.www.cloudflare.com

enterprise@cloudflare.com

1 888 99 FLARE

“We take the impact of a DDOS attacks very seriously. Even in those instances when our domain has faced a DDOS attack, Cloudflare was able to protect our domain quickly, providing a seamless experience for our customers. The single biggest

benefit Cloudflare provides to us is peace of mind that someone is monitoring the network and that you have a way to

mitigate any attack”

Chris Smith irector of E-Commerce ig Sporting oods

1 888 99 FLARE | enterprise@cloudflare.com | www.cloudflare.com

1 Cloudflare Inc. All rights reserved. he Cloudflare logo is a trademar of Cloudflare. All other company and product names may be trademar s of the respective companies

with which they are associated.