Best Practices

dots 2.png
  • Don’t pass Personally Identifiable Information (PII) in plain text. 

  • Use Encryption methods in the Cloudpage for sensitive data like ClientID, ClientSecret, Tenant endpoints, etc., 

  • Surround non-authenticated, non-application, public landing pages with a global IF/THEN clause. Check for empty required parameters. Use this clause for both front-end pages and for processing landing pages. This step prevents landing pages from processing if somebody accesses pages directly and deters parameter manipulation when accessing the base URL. 

  • Don’t substitute encoding, such as Base64 or StringtoHex, to pass fields that should not pass in plain text. Encoding isn’t encryption and it can be decoded. 

  • Hashing algorithms like MD5 and SHA1 are usually not considered secure. The most commonly used is SHA256.

  • Don’t perform any client-side validation or processing using Client-side JavaScript or AJAX. It is recommended to perform on the Server-side.

  • Use two or more QS parameters to verify it’s the same subscriber before doing any other processing on the landing page or presenting any data. 

  • When using public landing pages in Enterprise 2.0 accounts, use the AMPScript CloudPagesURL function to encrypt all QS parameters.

  • SSJS debugging and exception handling article by Mateusz Dąbrowski.

  • Utilize Code Resources instead of a Landing Page wherever you can, to avoid Supermessages consumption.

  • Implement Google reCAPTCHA that provides a seamless security layer against abusive form submissions and spam attacks. Check out this detailed article by Ivan Razine.

  • Use permissions to manage access to Clodupages.

  • When working with API's, be aware of the volume and frequency that might hit them, and handle it effectively. 

  • To enable security headers, insert the following code in the code view of your content page. You can also change the attributes below as needed.

<script runat=server> 

Platform.Response.SetResponseHeader("Strict-Transport-Security","max-age=200"); Platform.Response.SetResponseHeader("X-XSS-Protection","1; mode=block");


Platform.Response.SetResponseHeader("X-Content-Type-Options","nosniff"); Platform.Response.SetResponseHeader("Referrer-Policy","strict-origin-when-cross-origin"); Platform.Response.SetResponseHeader("Content-Security-Policy","default-src 'self'"); 



*Source : Salesforce Docs & Community Blogs

  • When creating the Installed Packages, allow limited access based on the use cases to be performed.

  • Limit the Setup access only to a few set of users who perform admin-related tasks.

  • For Multi-Factor Authentication, it is recommended that you register for at least two verification methods so you have a backup available - if you lose or forget your primary method.

  • Purchase SSL Certificates to secure the following URL's and understand the Impacts.

    • Cloudpages​​​ - pages.[CustomDomain].com

    • Email Tracking Links - click.[CustomDomain].com

    • Email View as a Web Page - view.[CustomDomain].com

    • Content Builder Content - image.[CustomDomain].com​​

  • Clickjack Protection - Enabled by default, this feature stops malicious pages from loading in the background of trusted Marketing Cloud pages to gain access to confidential information. But it only protects the Interface, not Cloudpages. To do so, include the security headers - X-Frame-Options, as discussed in the Cloudpages section above.

  • Create secure keys under Key Management that can be used in AMPscript Encryption functions