Secure, branded domains for Olo’s food ordering service customers.
Olo is the largest provider of white label online food ordering services to restaurant brands. Olo serves as the interface between the restaurant and the on-demand world, giving multi-location restaurants controlled integrations so they can efficiently accept orders from everything from apps to new customer interfaces like the Amazon Echo. Their mission, unchanged since their founding in 2005, is to provide customers with better, faster, more personal service from the restaurants they love. Today, Olo serves over forty million customers for takeout and delivery through branded restaurant apps and sites.
“As a white label service provider, most of our clients have custom domains for their ordering websites,” explained Andrew Murray, CTO of Olo. “We wanted to provide HTTPS on these custom domains without the overhead of clients having to approve certificates and us provisioning new IP addresses or load balancers for each domain.” Providing HTTPS on these custom domains ensures that communications from these white-labeled sites to their respective customers are encrypted."Before Cloudflare...we had some rather unwieldy code to transfer a user's session..."
“Before Cloudflare,” Murray continued, “our clients’ custom domains could only be used for plain HTTP landing pages, and we had some rather unwieldy code to transfer a user’s session from a client’s HTTP custom domain to our secure HTTPS wildcard domain (e.g. https://customername.olo.com), for checkout.” This practice, however, was imperfect for a variety of reasons: First, search engines and browsers are penalizing HTTP sites by respectively lowering search rankings and displaying warnings to users of these sites. Furthermore, having to transfer domains in this fashion prevented the perfect white label experience Olo strives to offer its customers and complicated analytics and synchronizing cookies for these pages. Lastly, as Murray noted “there is just really no good reason to serving any part of a website over HTTP anymore. Even landing pages without sensitive information are, in theory, subject to the man-in-the-middle attacks and eavesdropping for nefarious purposes.”
“We’d considered a few options for fixing this flow,” Murray explained, “such as building our own infrastructure to serve Let’s Encrypt certificates and manually coordinating certificate approval with clients. Thankfully, Cloudflare announced SSL for SaaS right at the time we were looking to make a decision so we looked into what they could offer.“
Today, Olo secures their white labeled webshops with SSL for SaaS and has entirely replaced their previous performance and security vendor with Cloudflare. “Our engineers were happy to say goodbye to the unwieldy code,” Murray remarked. “With SSL for SaaS we have implemented a simpler flow because Cloudflare’s API handles the provisioning, serving, automated renewal and maintenance of our customers’ SSL certificates. Plus, end-to-end HTTPS now means we have bolstered privacy and performance for our customers, and can leverage browser features, like Local Storage, that we couldn’t use before.” Furthermore, these SSL improvements were made without having to change Olo’s end-user implementation.“Our engineers were happy to say goodbye to the unwieldy code...”
Olo also makes use of Cloudflare’s WAF (Web Application Firewall) and DDoS mitigation, which work in concert to make Olo sites more secure and protected from online attacks. “A WAF is required by PCI-DSS so Cloudflare’s WAF is essential to maintaining compliance for our service,” Murray posited. “We also use the WAF for blocking countries where we don’t have customers and IP ranges where we see a large amount of malicious traffic coming from.” Cloudflare’s WAF also makes use of the intelligence from the over 6 million sites on Cloudflare’s network so Olo is protected from the latest known vulnerabilities and attack vectors. Furthermore, Cloudflare’s DDoS mitigation absorbs attacks aimed at Olo infrastructure ensuring sites are always online and available. “Security is the #1 concern of most of our clients,” Murray related. “A more secure website both helps my team and I sleep better at night, and at the same time makes our annual PCI assessment easier!”
“Cloudflare means we no longer have to choose between security and convenience. We can have both!”
-Andrew Murray, CTO