Security and encryption verified

Quick reference about security, cookies, encoding, hashing and encryption in Salesforce Marketing Cloud (SFMC).

Table of contents

• Security headers
• Cookies
• Encoding
• Hashing
• Encryption
• Reference

Security headers

Security headers are server response statements that prevent the most common scripting attacks.

Platform.Response.SetResponseHeader("Strict-Transport-Security", "max-age=200");
Platform.Response.SetResponseHeader("X-XSS-Protection", "1; mode=block");
Platform.Response.SetResponseHeader("X-Frame-Options", "Deny");
Platform.Response.SetResponseHeader("X-Content-Type-Options", "nosniff");
Platform.Response.SetResponseHeader("Referrer-Policy", "strict-origin-when-cross-origin");
Platform.Response.SetResponseHeader("Content-Security-Policy", "default-src 'self'");

<script runat="server">

    Platform.Load("core", "1");

    Platform.Response.SetResponseHeader("Strict-Transport-Security", "max-age=200");
    Platform.Response.SetResponseHeader("X-XSS-Protection", "1; mode=block");
    Platform.Response.SetResponseHeader("X-Frame-Options", "Deny");
    Platform.Response.SetResponseHeader("X-Content-Type-Options", "nosniff");
    Platform.Response.SetResponseHeader("Referrer-Policy", "strict-origin-when-cross-origin");
    Platform.Response.SetResponseHeader("Content-Security-Policy", "default-src 'self'");

	Write("Hello World");

</script>

Cookies

Cookies are information that a website stores on a user's computer.

Platform.Request.GetCookieValue("myCookie");
Platform.Response.SetCookie("myCookie", "◔_◔", "2023-08-01T20:30:00.999Z", true);
Platform.Response.RemoveCookie("myCookie");

<script runat="server">

    Platform.Load("core", "1");

	try {

        var now = DateTime.SystemDateToLocalDate(Now());

        var expires = plus30days(now);

        var res = Platform.Response.SetCookie("myCookie", "◔_◔", expires, true);

        var cookie = Platform.Request.GetCookieValue("myCookie");

        Write(Stringify(cookie));
		
	} catch(error) {
        Write(Stringify(error));
    }	

    function plus30days(dt) {

        Variable.SetValue("Now", dt);

        var scr = ""; 
            scr += "\%\%[";
            scr += "SET @Result = DateAdd(@Now, 30, 'D')";
            scr += "Output(Concat(@Result))";
            scr += "]\%\%";

        return Platform.Function.TreatAsContent(scr);

    }

</script>

Encoding

Encoding is the process of putting a string of characters into a specialized format for transmission or storage.

Base64Encode("◕_◕");
Base64Decode("◔_◔");

<script runat="server">

    Platform.Load("core", "1");

	try {

        var emoji = "◔_◔";

        var encoded = Base64Encode(emoji);

        var decoded = Base64Decode(encoded);

        var result = {
            enc: encoded,
            dec: decoded
        }

        Write(Stringify(result));
		
	} catch(error) {
        Write(Stringify(error));
    }	

</script>

Hashing

Hashing is the process of transforming a string of characters into another value. Hashed values can't be decrypted.

function hash(str, alg, cset) {

    var cset = cset || "UTF-16";

    Variable.SetValue("@Str", str);
    Variable.SetValue("@Cset", cset);

    var scr = "";
        scr += "\%\%[";
        scr += "SET @Result = ";

    switch(alg) {
        case "sha1":    scr += "SHA1(@Str, @Cset)";   break;
        case "sha256":  scr += "SHA256(@Str, @Cset)"; break;
        case "sha512":  scr += "SHA512(@Str, @Cset)"; break;
        default:        scr += "MD5(@Str, @Cset)";
    }

    scr += " Output(Concat(@Result))";
    scr += "]\%\%";

    return Platform.Function.TreatAsContent(scr);

}

<script runat="server">

    Platform.Load("core", "1");

	try {

        var emoji = "◔_◔";

        var result = {
            md5:    hash(emoji),
            sha1:   hash(emoji, "sha1"),
            sha256: hash(emoji, "sha256"),
            sha512: hash(emoji, "sha512")
        }

        Write(Stringify(result));
		
	} catch(error) {
        Write(Stringify(error));
    }	

    function hash(str, alg, cset) {

        var cset = cset || "UTF-16";

        Variable.SetValue("@Str", str);
        Variable.SetValue("@Cset", cset);

        var scr = "";
            scr += "\%\%[";
            scr += "SET @Result = ";

        switch(alg) {
            case "sha1":    scr += "SHA1(@Str, @Cset)";   break;
            case "sha256":  scr += "SHA256(@Str, @Cset)"; break;
            case "sha512":  scr += "SHA512(@Str, @Cset)"; break;
            default:        scr += "MD5(@Str, @Cset)";
        }

        scr += " Output(Concat(@Result))";
        scr += "]\%\%";

        return Platform.Function.TreatAsContent(scr);

    }

</script>

Encryption

Encryption is a process that scrambles data into a secret code that can only be unlocked with a unique digital key.

function encrypt(str) {

    Variable.SetValue("@ToEncrypt", str)

    var scr = "";
        scr += "\%\%[";
        scr += "SET @Encrypted = EncryptSymmetric(@ToEncrypt, 'AES', 'password', @null, 'salt', @null, 'initvector', @null)";
        scr += "Output(Concat(@Encrypted))";
        scr += "]\%\%";

    return Platform.Function.TreatAsContent(scr);

}

function decrypt(str) {

    Variable.SetValue("@ToDecrypt", str)

    var scr = "";
        scr += "\%\%[";
        scr += "SET @Decrypted = DecryptSymmetric(@ToDecrypt, 'AES', 'password', @null, 'salt', @null, 'initvector', @null)";
        scr += "Output(Concat(@Decrypted))";
        scr += "]\%\%";

    return Platform.Function.TreatAsContent(scr);

}

<script runat="server">

    Platform.Load("core", "1");

	try {

        var emoji = "◔_◔";

        var encrypted = encrypt(emoji);

        var decrypted = decrypt(encrypted);

        var result = {
            encrypted: encrypted,
            decrypted: decrypted
        }

        Write(Stringify(result));
		
	} catch(error) {
        Write(Stringify(error));
    }	

    function encrypt(str) {

        Variable.SetValue("@ToEncrypt", str)

        var scr = "";
            scr += "\%\%[";
            scr += "SET @Encrypted = EncryptSymmetric(@ToEncrypt, 'AES', 'password', @null, 'salt', @null, 'initvector', @null)";
            scr += "Output(Concat(@Encrypted))";
            scr += "]\%\%";

        return Platform.Function.TreatAsContent(scr);

    }

    function decrypt(str) {

        Variable.SetValue("@ToDecrypt", str)

        var scr = "";
            scr += "\%\%[";
            scr += "SET @Decrypted = DecryptSymmetric(@ToDecrypt, 'AES', 'password', @null, 'salt', @null, 'initvector', @null)";
            scr += "Output(Concat(@Decrypted))";
            scr += "]\%\%";

        return Platform.Function.TreatAsContent(scr);

    }

</script>

WARNING

These function only works if a symmetric key is called "password", a salt is called "salt" and the initialization vector is called "initvector" in the list of Key Management entries.

Reference

Ressources and references related to the current methods.

Security Best Practices

SHA256

EncryptSymmetric