Loading...
Area: Episerver Campaign
Applies to versions: Not applicable

Security

Recommendations [hide]

This topic describes security considerations for the HTTP integration API for Episerver Campaign.

TLS encryption

Episerver Campaign supports Transport Layer Security (TLS) version 1.2 and higher to encrypt data transmission via API requests.

SSL encryption

We recommend encrypting all data transmitted. Customer support can give more information on configuring an SSL encryption. You can access the API server using  https://api.campaign.episerver.net.

Upon request, we can configure your client to accept SSL requests only.

Authorization code

The URL for each request contains an authorization code which identifies either the client and the recipient list or the recipient and the sent email. If this code is incorrect, the operation is not executed.

If used in an email, the authorization code is created automatically. If you use a form on your website, the URL contains the code.
To get this code, perform these steps.

  1. Log in to Episerver Campaign.
  2. Open the start menu and, under Administration, click API overview.
    The API overview window opens.
  3. Switch to the Recipient lists tab and select the relevant recipient list.
  4. Click Manage authorization code.
    The Manage authorization codes window opens and displays all authorization codes of this recipient list.
  5. Copy the authorization code from the Authorization code list.
    If no authorization code is available for the selected recipient list, click Create authorization code.

Warning: The authorization codes of the form service must be treated as sensitively as a combination of user name and password. Never pass the authorization code to third parties and never use HTTP API calls of the form service directly on your websites or in mailings. HTTP API calls of the form service must always be executed by the server without exposing the used source code to others. To use HTTP operations in mailings, use the mail service of the HTTP API (see Mail service).

If you want to deactivate an existing authorization code, perform the following steps:

  1. Log in to Episerver Campaign.
  2. Open the start menu and, under Administration, click API overview.
    The API overview window opens.
  3. Switch to the Recipient lists tab.
  4. In the Recipient list list, click the recipient list that contains the authorization code.
  5. Click Manage authorization codes.
    The Manage authorization codes window opens and displays all authorization codes of this recipient list.
  6. In the Authorization code list, click the authorization code you want to deactivate and then click Deactivate authorization code.

Note: Additionally, we recommend using the IP restriction feature of Episerver Campaign for HTTP API calls of the form service in your client. To use this feature, contact customer support.

IP security

We recommend using an IP access restriction for the HTTP API form service. To set up the IP access restriction, send the IP addresses of your web server to customer support. Access from IP addresses other than the defined ones is denied.

Request types

Usually, the HTTP API accepts HTTP GET and POST requests. If you are sure that you use only one type of transmission, we can configure your client to accept only the desired operation.

Do you find this information helpful? Please log in to provide feedback.

Last updated: Jul 15, 2020

Recommendations [hide]