The Most Dangerous File in Your B2C Store (And It’s Only 1KB)
The Most Dangerous File in Your B2C Store (And It’s Only 1KB)
Before we get into code, let me ask you something:
Would you be okay if a customer found your staging environment on Google?
Because it’s happening. Right now.
Thousands of Salesforce Commerce Cloud sandboxes and staging environments are publicly indexed on Google. Real subdomains, with fake products, broken payment flows, and half-finished campaigns... all visible with a quick search.
We’re not making this up. Just type:
site:dx.commercecloud.salesforce.com You'll find live sandboxes from stores all around the world. Some even let you add to cart. Others show test credit card flows. Beauty stores, tech retailers, luxury fashion... indexed by Google and available to anyone. Including your competitors.
So why is this happening?
Because someone forgot to set up a single file: robots.txt.
Let’s be clear. This file doesn’t protect your site with encryption or passwords. It just sends a message to crawlers like Googlebot, Bingbot, Yandex, etc., telling them what to index and what to skip.
But when you don’t say anything, crawlers do whatever they want. And guess what? They love discovering new sites, especially ones that are half-broken and still in development.
Salesforce B2C Commerce gives you multiple options to configure this in Business Manager, under Merchant Tools > SEO > Robots.
You can:
Allow everything (great for production)
Block everything (mandatory for staging and sandbox)
Or paste a custom file with full control
You can even manage it from the cartridge, but good luck pushing urgent changes if that’s your only option. You’ll need a full deployment, QA, code review... the usual drama.
And here's a bonus tip most people miss: if your site is set to Online Protected, Salesforce auto-generates a blocking robots.txt. Sounds great, right?
Until someone disables the password protection.
Boom. Your staging site is now live and fully crawlable, and you didn’t even notice.
We explain all of this, step by step, in the Advanced SFCC Configuration course, including examples, gotchas, and how to safely manage this across all your environments. If you care about SEO, brand reputation, or simply not looking like an amateur... this is the stuff no one tells you.
And if you want more content like this...
