• The Email Marketing tab within the Stores section has been temporarily disabled. This measure has been implemented to accommodate ongoing updates and improvements. During this period, admin users will not have access to email marketing features from the Stores section. The functionality will be restored once the necessary changes have been completed and validated.   

• In this release, the ability to add, manage, or modify promotions, coupons, and vouchers has been temporarily disabled on the Manage Order screen in the Admin Console. While promotions and coupons applied during order creation will still be visible on the Manage Order screen, the options to add new promotions or remove existing ones will not be available. This functionality will be re-enabled in a future update.  

• As a temporary optimization to address memory consumption issues during sitemap and product feed generation, the default chunk size has been reduced from 50,000 to 10,000 records. This change improves processing stability for large datasets and applies to Product Sitemaps, Category Sitemaps, Content Page Sitemaps, and Product Feeds (Google, Bing, and XML). Future enhancements may revisit this configuration as part of ongoing performance improvements.

• Temporary removal of line-item REMOVE action from the checkout page. Shoppers must modify items on the cart page before checkout. Ensures consistency with updated checkout session handling. 

• The new Did You Mean (DYM) capability enhances the site search experience by providing spelling correction suggestions when a customer's search returns no results. 
• Powered by Elasticsearch suggesters, the feature helps users recover from misspelled or incorrect search queries by presenting alternative search terms that are more likely to return relevant results. 
• For example, if a user searches for "diwalt" and no results are found, the storefront may display: 
• Did you mean: dewalt? 
  • Selecting a suggestion automatically re-executes the search using the suggested term, helping users find relevant products faster and reducing search abandonment.

• Admin Configuration 
  • A new Search Behavior section has been added under: 
    • Marketing → Site Search → Manage PIM Indexes → PIM Index Settings 
    • Administrators can configure the following:  

• Enable Did You Mean 
  • Enable or disable DYM functionality at the catalog (PIM Index) level. 
  • Default value: Disabled 

• Maximum Suggestions 
  • Configure the maximum number of suggestions displayed to shoppers. 
  • Supported range: Up to 5 suggestions. 
  • Suggestions are ranked and displayed in order of relevance. 

• DYM Attributes 
  • Administrators can select which searchable attributes are used to generate suggestions. 
  • Supported default attributes include: 
    • Product Name 
    • SKU 
    • Brand 
  • Only attributes that: 
    • Are configured as searchable (Use In Search = Yes) 
    • can be selected for DYM generation. 

• Storefront Experience 
  • When a search returns no results and valid suggestions are available: 
    • The "Did you mean:" section is displayed. 
      • Up to the configured number of suggestion links are shown. 
      • Suggestions are clickable and execute a new search using the selected term. 
  • Once a suggestion is selected, the search runs using the suggested term, and the DYM section is not displayed again for that search. 

• To improve response times: 
  • Repeated search suggestions are cached. 
  • Cached suggestions are automatically refreshed after index recreation or DYM configuration changes. 

• Suggestions are displayed only when: 
  • DYM is enabled 
  • The search returns zero results 
  • Valid suggestions are available 

• Suggestion Strategy 
  • This release uses the Elasticsearch Basic (Term Suggester) approach for generating spelling corrections. 

• Search Profile Dependency 
  • DYM attributes must remain aligned with the attributes configured in the Search Profile. 
  • Removing an attribute from either configuration may result in incomplete or inaccurate suggestion generation. 
• Index Recreation Required 
  • After adding, removing, or modifying DYM attributes: 
    • A full index recreation (republish) is required. 
    • DYM data is generated during indexing and is not dynamically rebuilt at query time. 

• Performance Impact 
  • Performance observations during testing (~11,000 products): 
    • Index size increased by approximately 3% 
    • Publish time increased slightly (approximately 1 additional minute) 
    • Elasticsearch peak CPU utilization increased during indexing 
    • Memory impact was negligible 
    • Initial searches may take slightly longer until cache is populated 
  • Actual impact may vary depending on catalog size and the number of configured DYM attributes. 

• Existing Search Features 
  • This enhancement does not affect existing search capabilities, including: 
    • Typeahead Search 
    • Hydrated Search 
    • Synonyms 
    • Keyword Redirects 
    • Boost & Bury Rules 
    • Auto Correct 
    • Hide From Search 
    • Existing Search Profile configurations 

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies.

• Added Track Order, Quick Order and Forgot Your Password pages under Commerce Pages in Page Builder. 
• Enables administrators to customize page layouts using existing Page Builder components. 
• Preserves the core functionality and workflow of Track Order, Quick Order and Forgot Your password pages. 
• Supports drag-and-drop placement of Page Builder components above and below the predefined page structure. 
• Allows editing of page-specific labels, headings, descriptions, and instructional content through Page Builder attributes. 
• Supports preview, publish, version history, and locale management using existing Page Builder capabilities. 
• Provides a consistent Page Builder experience aligned with other commerce and content pages. 
• Maintains full backward compatibility with existing storefront implementations and customizations. 
• Supports multi-store and multi-locale environments. 
• No impact on existing customer workflows or order management functionality. 

• The v10.11.1.0 release introduces enhancements to the checkout session management framework, enabling greater flexibility and control over how checkout sessions behave and expire. Building on the functionality introduced in v10.10.1.0, this update provides configurable options to manage session expiration, improve storefront experience, and align checkout workflows with updated processing logic.
   
• Key updates include new global settings to control timer-based expiration and countdown visibility, temporary UI adjustments to support the revised flow, and backend refactoring that separates checkout logic from cart operations. These improvements aim to create a more stable, customizable, and scalable checkout experience. 

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies.
   
• By default, the Enable Timer-Based Checkout Expiration setting is False, meaning the timer-based expiration that was mandatory in earlier releases will be disabled after upgrading.
   
• Impact on Custom Implementations 
  • Customizations related to cart, checkout APIs, workflows, validations, and UI must be reviewed. 
  • Existing implementations may require updates to align with the new architecture and session management changes. 

• Configurable Checkout Expiration Control 
  • Introduced Enable Timer-Based Checkout Expiration setting. 
  • Allows administrators to enable or disable time-based session expiration. 
  • When disabled (default), sessions persist until order completion or manual cancellation, with no expiration UI or timeout validation. 
  • Existing timeout behavior continues unchanged when enabled.  

• Persistent “Last Checkout Wins” Behavior 
  • Only the most recent checkout session remains active across devices/tabs. 
  • All previously initiated sessions are marked inactive and cannot be used for order placement. 
  • Future enhancement planned to allow configuration of this behavior.  

• Checkout Countdown Visibility Control 
  • New Hide Checkout Countdown setting to control timer display on storefront. 
  • Timer can be hidden without impacting backend expiration processing. 
  • Applicable only when timer-based expiration is enabled.  

• Checkout UI Adjustment 
  • Temporary removal of line-item REMOVE action from the checkout page. 
  • Shoppers must modify items on the cart page before checkout. 
  • Ensures consistency with updated checkout session handling.

• This release introduces a configurable Content Security Policy (CSP) framework for the Admin Console, enabling administrators to extend and manage CSP directives without requiring code changes or deployment updates.
   
• Previously, CSP configurations were fully managed within the application using predefined settings. With this enhancement, administrators can now dynamically add trusted domains and directives to support business integrations, external APIs, scripts, and embedded resources while maintaining the integrity of the default security configuration. 

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies.
   
• Incorrect configuration of Content Security Policy (CSP) settings may result in unintended behavior, including restricted or blocked access to the Admin Console. Administrators should ensure all configurations are validated before applying changes. 

• Impact on CSP Changes in Admin 
  • Configurable CSP via Global Settings 
    • Introduces a new global setting: Content Security Policy (Admin Console) 
    • Places the setting under: Global Settings → API And Security Settings 
    • Allows administrators to define additional CSP directives using a textarea-based configuration  
  • Combined CSP Execution Model 
    • The Admin application maintains default CSP directives internally. 
    • The system appends user-defined CSP entries to the default configuration. 
    • The application generates the final CSP header using: 
      • Default system-defined directives 
      • Administrator-defined directives 
  • Flexible Multiline Configuration Support 
    • Supports multiline CSP entries for better readability and management. 
    • Enables configuration of multiple directives such as: 
      • script-src 
      • frame-src 
      • connect-src 
      • style-src  
      • img-src, and others 

• Input Validation and Data Integrity 
  • Validates:  
    • CSP directive syntax 
    • Domain and URL format 
  • Prevents:  
    • Invalid or malformed entries 
    • Duplicate configurations where applicable 
  • Ensures that only valid CSP directives are accepted

• Default CSP Configuration Support 
  • The system includes a predefined default CSP configuration to ensure secure baseline behavior. 
  • If administrators do not provide custom values, the application continues to use the default configuration without changes. 

• Real-Time Application of Changes 
  • Applies configuration changes immediately after update. 
  • Does not require a publish action. 
  • Enables faster implementation of security updates and integrations. 

• Administrative Control and Auditability 
  • Allows only authorized administrators to modify CSP configuration. 
  • Maintains audit logs for all configuration changes. 
  • Supports governance, monitoring, and compliance requirements. 

• Default Behavior and Guidance 
  • Includes predefined CSP directives to support scripts, styles, images, frames, APIs, and other resources. 
  • Allows img-src * by default to support images from all domains. 
  • Requires administrators to explicitly configure domains if permissive defaults are removed. 
  • Recommends adding third-party domains to CSP configuration if resources fail to load 

• May restrict content loading if administrators remove permissive defaults (such as *) without proper configuration. 

• Supports integrations involving external APIs, third-party scripts, and embedded content. 

• Applies changes automatically while following the existing configuration lifecycle. 

• Even if the Enable XSS Validation and Enable IDOR Validation flags are set to true, the changes will only take effect after explicitly saving the configuration. 

• This could be a breaking change when enabled; it is important to adopt the update carefully and perform thorough regression testing across all impacted features after upgrading. 
  Key Features: 

• Global Configuration for XSS Validation 
  • Introduces a new global setting: Enable XSS Validation 
  • Located under: Global Settings → API And Security Settings 
  • Configured as a Yes/No toggle 
  • Provides centralized control over XSS validation behavior across the application 

• Dynamic Validation Control 
  • Allows administrators to control XSS validation behavior globally: 
  • When Disbaled (NO): 
    • XSS validation checks are skipped 
  • When Enabled (YES) - Default Value: 
    • Standard XSS validation remains enforced 
  • Default Behavior 
    • The setting is configured with a default value that preserves existing application behavior 
    • Ensures that XSS validation continues to function as currently implemented unless explicitly changed 
  • Applicable Functional Areas 
    • The setting currently applies to the following areas: 
      • Storefront (Registered Users) 
      • Edit Profile
      • Edit / Update Address 
  •  Admin Console 
    • Create User 
    • Edit User 
    • Address Management under Manage Users 
  • Backward Compatibility 
    • Existing application behavior remains unchanged after deployment 
    • No impact on existing integrations or workflows unless the setting is explicitly modified 
    • Ensures smooth adoption without disruption 

• Administrative Control and Governance 
  • Only authorized administrators can modify the setting 
  • Configuration changes follow the existing application refresh/reload mechanism 
  • All updates are tracked through audit logging 
  • Proper validation and permission checks are enforced before applying change

Important Points:  

• The setting applies globally across the application 
• Disabling XSS validation may increase security risk and should be used cautiously 
• Intended to support specific use cases such as trusted integrations or controlled environments 
• Administrators should ensure appropriate validation mechanisms are in place when disabling XSS protection 

• This release introduces a Standardized Display Order (DO) Management System to unify and streamline how entities are ordered across the platform. 

• Previously, display order handling was inconsistent—some areas rely on hardcoded values while others do not support ordering at all. This leads to dependency on development teams, inconsistent user experiences, and limited flexibility in implementing business or merchandising strategies. 

• With this enhancement, the system provides a centralized, configurable, and scalable solution that enables administrators to define and control display order across all supported entities. The update ensures consistent ordering behavior across both Storefront UI and APIs while eliminating hardcoded dependencies. 

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies. 

• Configurable Display Order Management 
  • Introduces Display Order (DO) as a configurable attribute across applicable entities 
  • Enables administrators to define and update ordering without code changes 
  • Replaces hardcoded ordering logic with configurable values 

• Standardized Sorting Logic 
  • Applies consistent sorting rules across the platform: 
  • Primary Sorting: Ascending order of Display Order (lower values appear first) 
  • Secondary Sorting: Alphabetical order (A–Z) for duplicate values 
  • Ensures deterministic and predictable ordering

• Flexible Value Handling 
  • Supports duplicate Display Order values 
  • Allows non-sequential inputs (e.g., 1, 5, 10) 
  • Uses alphabetical sorting to resolve duplicates 

• Validation and Constraints 
  • Accepts only positive integers for Display Order 
  • Rejects invalid inputs such as: 
    • Non-numeric values 
    • Negative or zero values 
    • Decimal values 

•  Displays clear validation messages (e.g., “Display Order must be a positive number.”) 

• Default Value Handling 
  • Assigns a default Display Order value of 999 when not explicitly provided 
  • Ensures consistent fallback behavior for unordered entities 

• Draft and Publish Workflow Support 
  • Supports draft mode (where applicable) 
  • Applies changes only after publish action 

• Ensures that only published values reflect in: 
  • Storefront UI 
  • API responses 

• Consistent Behavior Across UI and APIs 
  • Applies Display Order logic uniformly across:  
    • Storefront interfaces 
    • API responses 
  • Eliminates discrepancies between frontend and backend ordering

Admin Workflow 

• Configuration and Update Flow 
  • Admin user navigates to the relevant entity configuration 
  • Views records along with their Display Order values 
  • Updates one or more Display Order values 
  • System validates inputs (numeric, greater than zero) 
  • Admin saves changes (draft mode, if supported) 
  • Admin publishes updates 

• System Actions 
  • Stores updated values in the database 
  • Applies sorting logic 
  • Updates API responses 
  • Reflects changes across all user-facing interfaces 

• Important Note:  
  • Display Order is fully configurable (no hardcoding) 
  • Sorting logic: Display Order (ascending) + alphabetical tie-breaker 
  • Changes are reflected only after publish 
  • Applies consistently across UI and APIs 
  • Supports scalability without performance impact 
  • Only authorized Admin users can update Display Order 
  • If the “Is Default” flag is enabled, it takes precedence over Display Order 

• Entities Considered in Phase 1 
  • The following areas are included due to their direct impact on customer experience and storefront behavior: 
    • Manage Store (Post-Publish Scope) 
      • Brands 
      • Shipping Methods 
      • Storefront Payment Methods 
      • Offline Payment Methods 
      • Sort By Options 
    • Manage Products 
      • Product Attributes (Facets)
      • Attribute Values
    • Manage Search Profile 
      • Associated Facets 

• Out of Scope 
  • Changes to core sorting algorithms beyond ordering sequence 
  • UI enhancements such as drag-and-drop 
  • Role or permission model changes 

• Guest User Behavior: 
  • IDOR validation is not applicable for guest users. 
  • Guest flows (such as cart operations without login) continue to function using the platform’s existing access model, as no user context is available.

• Important Note:  
  • Any modification to the request context structure or encryption logic is not supported by the backend and will result in validation failure. 
  • Only a few APIs are currently covered; more will be included in upcoming releases. 
  • List of APIs can be accessed here.

• Added support for Google Pay payments through the Spreedly payment gateway, with Authorize.Net and CyberSource as supported processors.  

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies. 

• Introduced Google Pay as a payment option within Spreedly configuration for Authorize.Net and Cybersource gateways. 

• Enables seamless token-based wallet payments during checkout without requiring card entry. 

• Supports standard payment workflows:  
  • Authorize Only 
  • Authorize and Capture 
• Available across key transaction flows:  
  • Storefront checkout 
  • Admin impersonation 
  • Quote-to-Order 

• Added “Google Pay” option in Select Payment Type (available only for Authorize.Net and Cybersource). 

• Payment type dropdown options are now alphabetically sorted. 

• Introduced Google Pay Merchant ID under Additional Settings (mandatory for enabling Google Pay). 

• Renamed “Znode Payment Settings” section to “Additional Settings” across all applicable configurations. 

• Displays Google Pay button on checkout alongside other supported payment methods. 

• Launches a native Google Pay modal for payment confirmation. 

• Supports secure authentication via customer’s Google account and device security. 

• No card details are entered or stored within Znode.
   

• Fully backward compatible with existing payment gateways and configurations. 

• No impact on existing payment methods such as Credit Card, ACH, PayFabric, or offline payments. 

• Retains standard Znode payment behaviors for cancellation and navigation.
   

• Supported only with Spreedly + Authorize.Net or Cybersource. 

• Not supported:  
  • Saved cards 
  • Partial payments 
  • Verify-only transactions 
  • Partial refunds (future enhancement) 
  • B-Store scenarios 
  • Wallet-specific reporting enhancements 

• Available for approval routing in digital payment scenarios. 

• Supports offline payment flows where applicable. 

• Google Pay Production Readiness: To process Google Pay transactions with live cards in Production, the merchant domain URL(s) must be approved by the Google Pay team. This approval ensures compliance with Google Pay integration and security standards before live transactions can be enabled. Below are the steps for the same: 

• Steps to Obtain Google Pay Merchant ID (Live/ Production Mode) 
  • Navigate to the Google Pay & Wallet Console:Google Pay & Wallet Console  
  • Sign in using your organization’s Google account.  
  • From the left navigation menu, click:  
  • Google Pay API  
  • Open the Web Integration section.  
  • In the Your Website section:  
    • Enter the website URL where Google Pay will be integrated.  
    • Ensure the website uses HTTPS and is publicly accessible. 
  • In the Your Google Pay API Integration Type section:  
    • Select Gateway as the Integration Type.  
    • Upload the required buyflow screenshots under:  
      • Item Selection  
      • Pre-purchase Screen  
      • Payment Method Screen  
      • Google Pay API Payment Screen  
      • Post-purchase Screen  
      • Click Save to submit the integration details for review.  
      • Complete the business verification and approval process required by Google.  
      • Once the integration is approved, navigate to the Dashboard section of the Google Pay & Wallet Console.  
      • Copy the Merchant ID displayed on the Dashboard page. 

• Enhanced the Authorize.Net payment integration to improve transaction traceability and support downstream payment operations. 

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies. 

• Extended transaction data capture to include additional gateway-provided identifiers such as: 

• Authorization Code 

• Customer Profile Identifier 

• Payment Profile Identifier 

• These enhancements enable better support for downstream processes such as capture, refunds, and adjustments. 

• Introduced comprehensive logging of Authorize.Net transaction responses for successful payment events, including authorization, capture, verification, and payment method storage. 

• Transaction responses are stored in a structured format to improve auditability, troubleshooting, and operational visibility. 

• Logging occurs only when a valid transaction response is received, ensuring data accuracy. 

• Improved reliability of payment lifecycle operations 

• Enhanced visibility into payment processing 

• Better alignment with payment gateway requirements 

• Introduced caching to improve the performance and responsiveness of configuration retrieval for payment-related operations. 

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies. 

• Implemented API-level caching for configuration retrieval to reduce redundant processing and improve response times. 

• Caching is applied selectively to endpoints that serve relatively stable configuration data. 

• Introduced an event-based invalidation mechanism to ensure cached configuration data remains accurate and up to date. 

• Added a new Configuration Set event module within webhook/event settings to trigger cache refresh when configuration changes occur.
   

• Caching is currently limited to specific configuration retrieval operations and is not applied to dynamic or user-context-driven endpoints, ensuring real-time accuracy where needed. 

• This targeted approach balances performance optimization with data consistency. 

• Improved API response times for configuration retrieval 

• Reduced system load through optimized data access 

• Ensured data freshness using event-driven updates 

• Enhanced the Vertex plugin configuration by introducing a new Endpoint URL field in the plugin settings.

• To ensure the new feature functions as intended, using the latest version of the Storefront is recommended. Older versions may support the feature partially or could lead to limited functionality or operational inconsistencies. 

• Added the ability for administrators to define and manage the endpoint URL used for tax calculation services directly within the plugin configuration. 

• Provides greater flexibility to configure environment-specific endpoints (e.g., sandbox or production).