CloudPages Security Best Practices

• Perform all processing and validation on the server side. Don’t perform validation using client-side JavaScript or Ajax.

• Verify the subscriber’s identity by using at least two query string parameters before you present data or do any other processing on the landing page.

• Carefully review CloudPages workflow processes before you publish them.

• Surround non-authenticated, non-application public landing pages with a global If-Then clause. In the clause, check for empty required parameters. Use this clause for front-end pages and for processing landing pages. This step prevents a landing page from being processed if somebody accesses it directly. It also prevents users from manipulating parameters.

• When you link to public CloudPages, use the AMPscript CloudPagesUrl() function. This function uses encryption to protect data in query strings. Don’t use simple encodings, such as Base64 or the AMPscript StringToHex() function, to pass sensitive information, including SubscriberId and SubscriberKey. Base64 and hex strings can be decoded easily.

• Ensure that CloudPages are being used for their intended purposes by performing regular security reviews and audits.

• Enable security headers in your CloudPages. To enable security headers, add this code in the code view of your content page.

<script runat=server>

    Platform.Response.SetResponseHeader("Strict-Transport-Security","max-age=200");

    Platform.Response.SetResponseHeader("X-XSS-Protection","1; mode=block");

    Platform.Response.SetResponseHeader("X-Frame-Options","Deny");

    Platform.Response.SetResponseHeader("X-Content-Type-Options","nosniff");

    Platform.Response.SetResponseHeader("Referrer-Policy","strict-origin-when-cross-origin");

    Platform.Response.SetResponseHeader("Content-Security-Policy","default-src 'self'");

</script>