AllSaints - Case study

AllSaints enhances site performance security and reliability by partnering with Cloudflare

AllSaints is a global retail company with over 200 brick-and-mortar stores and localized ecommerce platforms spanning 27 countries across Asia, Canada, North America, and Europe. Their 2,500 employees develop unique clothing and accessories while prioritizing sustainability.

The designer brand has experienced massive growth in the last 30 years and has been recognized with many awards over the years. In November 2023, the company was recognized at the Drapers Awards with the Retailer of the Year >£100m Turnover Award.

Challenge: Scaling to handle sudden traffic surges

AllSaints needed a solution that could enhance site stability. When their website experienced sudden surges in traffic, their existing CDN provider was not able to offer the capacity and resources needed to provide a consistent or fast user experience.

Beyond site performance, AllSaints also wanted to enhance the security of their infrastructure and customer data. The company’s sites were commonly targeted by cyberattacks, including distributed denial-of-service (DDoS) and BIN attacks.

Additionally, the company wanted to have controls in place to ensure GDPR and PCI compliance and protect customer confidence in the brand’s security. According to Andy Dean, AllSaints’ Technical Operations Manager, “We have continually attained our PCI DSS Attestation of Compliance (AoC) each year, and this has by part been due to having a comprehensive WAF as part of our infrastructure. Protecting our assets which need to be kept private whilst also providing security to our public applications has been possible thanks to Cloudflare.”

This is going to be even more of a challenge this year with the additional requirements of v4. We are already in discussion to add Cloudflare PCI ASV Scanning to our toolbox in 2025.

AllSaints needed more than a CDN. It also needed a way to accelerate dynamic content (like customer shopping carts), and a way to bolster security to safeguard consumer confidence and ensure PCI and GDPR compliance.

Enhancing site performance under peak load

AllSaints initially partnered with Cloudflare to take advantage of their global CDN. Cloudflare’s global network and tiered caching capabilities ensured that AllSaints could maintain high performance even in the face of sudden traffic surges.

“One of the biggest tangible benefits of using Cloudflare is our site speed,” says Dean. “When we have a large influx of traffic, our site actually gets quicker with the tiered caching.”

Over time, AllSaints deployed additional Cloudflare solutions to build on these performance gains. Argo Smart Routing optimizes how AllSaints’ traffic moves over the Internet, further reducing page latency and response times. Approximately one-third of AllSaints traffic is managed by Argo, which provides a 21% performance gain on average. Dean commented, “Having Argo routing enabled on our consumer websites has improved the network performance and speed of our web platforms. Cloudflare is constantly reviewing this routing to ensure we are using the optimum networks.”

These solutions help ensure that AllSaints’ webpages are fast and consistently available even when under strain.

“The faster you are during a heightened period of traffic, the more revenue you’ll take. Ultimately, that’s better for our bottom line,” Dean adds.

Ensuring site resiliency against surges and cyberattacks

AllSaints faced the threat of potential downtime due to legitimate and malicious traffic alike. A sudden surge in interest could overwhelm the site, or attackers could target it with distributed denial-of-service (DDoS) attacks or attempted vulnerability exploits.

With Cloudflare Cloud DNS and DDoS Protection, AllSaints is able to prevent attackers from overloading the company’s systems with spam requests. Additionally, AllSaints leverages the Cloudflare Web Application Firewall (WAF) to identify and block attempted exploits before they reach potentially vulnerable sites. In a 24-hour period, the Cloudflare WAF has blocked as many as 88,000 attacks against AllSaints’ sites.

One common threat that AllSaints faces is BIN attacks, where cybercriminals use a payment page to try to brute force valid payment card combinations. The company uses Cloudflare to protect its payment gateways from illegitimate requests and ensure a positive experience for legitimate customers. According to Dean, “Using CAPTCHA for certain users during crucial parts of our checkout allows us to control and reduce the amount of non-human traffic to this area of our website, which safeguards this area for existing and potential customers.”

By investing in their infrastructure and security solutions, AllSaints has ensured that their site will always be available to customers.

“One of the largest business benefits we’ve seen is increased site stability,” says Dean. “Since adopting Cloudflare, I have to go back years to find out when we had our last outage.”

Looking to a Zero Trust future

Like many companies, AllSaints has Zero Trust as a core component of their security roadmap. Zero Trust aims to enhance security by explicitly verifying each access request and applying least privilege access controls to all corporate resources. Currently, they plan to combine a Zero Trust network access (ZTNA) solution with their existing Cloudflare WAF and CDN to implement Zero Trust principles at the network edge.

The ability to implement so much of their security roadmap with Cloudflare solutions is a major selling point for Dean.

“I love working with Cloudflare because of their brand, rate of change, technology, and ability to develop products in situ,” he says. “It makes my life and my job a lot easier, and I'm proud to be a partner.”