Technical Architecture

Technology stack, integration architecture, and infrastructure overview for the Mental Health Foundation website — built on Umbraco CMS with .NET 8, Azure cloud services, and third-party integrations.

Technology Overview

The Mental Health Foundation website is an Umbraco CMS v13 platform running on .NET 8 and hosted on Azure. The architecture follows a server-rendered model using Razor views with the uSkinned Site Builder theme framework, backed by Azure SQL Database for content storage and Azure Blob Storage with CDN for media delivery. Integrations with Salesforce Marketing Cloud (SFMC), Foxy.io e-commerce, and Google Analytics 4 extend the platform with personalisation, online ordering, and analytics capabilities.

Technology Stack

Core technology layers and the rationale for each choice.

Frontend
Razor / CSHTML
Server-side rendered views using ASP.NET Core Razor templates with Umbraco content models
uSkinned Site Builder v6.3.1
Theme builder framework providing responsive layouts, block-list components, and design panel controls
SCSS / CSS
Compiled SCSS stylesheets with Bootstrap via uSkinned for responsive design
JavaScript
Client-side functionality including Foxy.io SDK, SFMC beacon, GA4 gtag.js, and Google Maps API
Backend
.NET 8.0 / C#
ASP.NET Core web application with Umbraco CMS v13.8.1 as the content management layer
Azure App Service
Windows Server hosting with IIS, providing managed compute with auto-scaling capabilities
Azure SQL Database
Managed SQL Server instance for Umbraco content, member data, and application state
Azure Blob Storage + CDN
Media storage (account: stgmentalhealth) with CDN distribution and ImageSharp WebP optimisation
Integrations
Salesforce Marketing Cloud (SFMC)
Persona-based content personalisation via JavaScript beacon and REST API with real-time segment evaluation
Foxy.io
E-commerce platform — hAPI (REST), SSO (SHA1 + JWT), webhooks (HMAC-SHA256), and JavaScript cart SDK
Google Analytics 4
Analytics tracking with custom user_persona dimension for segment engagement reporting
Looker Studio
BI dashboards for e-commerce sales visualisation, stock levels, and campaign comparison (via Foxy CSV exports)
Mailshop
Physical order fulfilment partner — CSV export workflow for order dispatch and stock reconciliation
Infrastructure
Azure App Service
Windows Server hosting with IIS, managed by Azure for high availability and scaling
Azure Key Vault / User Secrets
Production secrets in Key Vault; local development via .NET User Secrets (ID: MentalHealth-123456)
Serilog Logging
Structured logging for auth events, Foxy SSO, SFMC retrieval, rate limiting, and webhook processing
Terraform
Infrastructure as code for Azure resource provisioning and environment management
Azure Pipelines
CI/CD on master branch — NuGet restore, MSBuild, xUnit tests, and artifact deployment

Integration Architecture

How the platform integrates with external services and orchestrates data flow across personalisation, e-commerce, analytics, and fulfilment.

Personalisation
Salesforce Marketing Cloud
  • Persona segment evaluation
  • JavaScript beacon tracking
  • Real-time audience detection
JS Beacon + REST API
Analytics & BI
Google Platform
  • GA4 (gtag.js tracking)
  • Looker Studio dashboards
  • Google Maps API
JavaScript
CSV Import
Core Platform
Umbraco CMS v13
  • Razor / uSkinned frontend
  • .NET 8 API layer
  • Azure SQL Database
  • Azure Blob Storage + CDN
hAPI (REST)
SSO + Webhooks
E-Commerce
Foxy.io
  • Cart, checkout & payments
  • Customer & order management
  • Transaction webhooks
HTTPS / Browser
End Users
Website Visitors & Members
  • Public visitors (personalised content)
  • School, Workplace & Professional members
  • Backoffice content editors

Security Architecture

Authentication, data protection, application hardening, and integration security measures across the platform.

  • Umbraco Members Authentication — ASP.NET Core Identity with email confirmation, role-based access (Schools, Workplaces, Professionals), and PBKDF2 password hashing
  • Foxy SSO Integration — SHA1-based checkout SSO with 90-second token TTL and JWT-based customer portal authentication via super password
  • HTTPS Enforcement — TLS encryption on all transport; secure cookies (SameSite: Lax, Secure: true) for persona and session data
  • Webhook HMAC Validation — Foxy transaction webhooks validated with HMAC-SHA256 signatures; 401 returned on invalid signatures
  • Secrets Management — Azure Key Vault for production; .NET User Secrets for local development. API keys, connection strings, and SSO secrets never committed to source
  • Rate Limiting — IP+email based throttling: 5 registration attempts per 10 minutes; 10 login attempts per 5 minutes. Returns 429 when exceeded
  • Input Validation & XSS Prevention — ASP.NET Core model validation, email domain verification (.school.nz for Schools), CAPTCHA (hCaptcha/reCAPTCHA), Razor auto-encoding, and TinyMCE sanitisation
  • User Enumeration Prevention — Generic error messages on login failure and registration; no user information exposed in confirmation URLs

Performance Targets

Key non-functional requirements defining expected performance, throughput, and availability benchmarks.

Metric Target Priority Rationale
Personalisation overhead < 100ms Must Have SFMC beacon must not impact page load (LCP/FCP unaffected)
SFMC API response < 2,000ms (p95) Must Have Persona retrieval timeout; graceful fallback after 2 seconds
Login completion < 2 seconds Should Have Including Foxy customer sync and SSO token generation
Foxy SSO redirect < 1 second Should Have Seamless checkout experience without noticeable delay
Webhook processing < 5 seconds Should Have Foxy transaction webhooks must respond within 30s external timeout
Concurrent webhooks 10 / second Should Have Handle campaign peaks (PSD: 1,000–2,000 orders/day)
Platform availability 99.9% uptime Should Have Authentication, components, and webhook endpoints

Planned Enhancements

Architecture extensions planned for future phases to improve security posture, performance, and operational capabilities.

Upcoming Platform Improvements

These enhancements will extend the current architecture with additional security headers, caching strategies, automated integrations, and monitoring capabilities as the platform matures.

  • CSP & HSTS Headers
    Content Security Policy and HTTP Strict Transport Security for enhanced browser-level protection
  • Output Caching
    Server-side response caching to reduce database load and improve page load times
  • Bundle Stock Sync (F-09)
    Automated bundle-to-component inventory synchronisation via Foxy webhooks and hAPI
  • Automated Looker Studio Refresh
    Replace manual CSV imports with scheduled data pipeline for real-time BI dashboards