Secure Your API Credentials For Salesforce Marketing Cloud Development
This post comes off the back of a webinar hosted by Eliot Harper and Ivan Razine in which the very important topic of secure development practices was covered. One of the key learnings was how to protect your API credentials (clientID and clientSecret) on CloudPages. I’d encourage you to watch the webinar recording for some excellent nuggets of information. This blog post is my takeaway from the presentation, with the aim of helping to spread good development practices.
All AMPscript and Server Side JavaScript (SSJS) is processed on the Marketing Cloud’s server side instead of the client-side computer. Thus any such code is fully executed on the server prior to the final content being sent and ultimately rendered on the client side. Greg at Gortington.com explains this very clearly in his blog post here.
Server-side code utilises the ‘home’ server environment and is able to interact and manipulate objects on the server prior to response rendering. The server script is not passed along to the requester, only the results of this scripting.
In this respect, there is low risk of clientID and clientSecreet being accessible by CloudPage end users, however it is not good practice to have them just sitting in the page clearly exposed and easily available for all internal SFMC users to see. Eliot raised a good point in the preso, that even the most basic of SFMC user permissions permits users to view CloudPages code. So securing your API creds inside pages is definitely something you will want to implement.
Solution
Utilising the EncryptSymmetric() AMPscript function we are going to encrypt our REST API credentials, save the encrypted string output in a Data Extension, and then use Lookup and DecryptSymmetric functions to retrieve the credentials for use in our CloudPage.
EncryptSymmetric
Explanation here: AMPscript Guide
Key Management
Official help documentation here. We need to create 3 keys so that we are able to use the EncryptSymmetric function. Go to setup and search for ‘Key Management.’
Create Keys
Using https://www.random.org/bytes/ generate SALT and IV keys.
- Salt encryption requires a hex value longer than 8 bits.
- Initialization Vector (IV) encryption requires you enter 16 byte hexadecimal value.
- 8 random bytes https://www.random.org/cgi-bin/randbyte?nbytes=8&format=h
- 16 random bytes https://www.random.org/cgi-bin/randbyte?nbytes=16&format=h
Once our key management is in place, we can create a CloudPage, input the REST API credentials and use EncryptSymmetric function utilising external keys.
This will output a Base64 encoded value of our encrypted credentials.
PiUmPMeWWRRQ35gdPVwpJHs7bTpfXFwqHQJ7bCRtxroIFxgFQFIcUj9nYzMYcxw6GXxiJx1TPFIeeWR3WdujMC1bNEBNEW5uJwIEJAR5WghNCUED1pE9MMW0NRdMJFVmLUp2bV9zGiven it is Symmetric encryption, this can be decrypted right in your SFMC account using the password and keys used to create the encrypted string stored in key management. More on that soon.
Copy this string and upload it into a new data extension like the below. I am using the account MID for the LOOKUP function.
| Name | Data Type | Length |
|-----------|-----------|--------|
| MID | Int | 10 |
| apiCreds | Text | 3000 |In our final CloudPage we’ll lookup this DE, grab the apiCreds string, decrypt the string, pass it from an ampscript to a javascript string, parse it to JSON and use appropriate object notation to declare and define variables.
This will print out accessToken to screen, but in reality you’ll then be taking this token for use in the Authorization of subsequent API calls on the page.
Secure Development with Salesforce Marketing Cloud
Eliot: https://mc.chat/
Ivan: https://ampscript.xyz/
What is Base64?
Finally, below is great video about how Base64 works. Watch it and once you understand, you’ll see why it is not a great way to secure anything as it is widely and easily decrypted.
What is Salting?
Thanks goes to all the respective authors and content creators.
