Security headers are essential in Salesforce Marketing Cloud (SFMC) Cloud Pages to protect against clickjacking, cross-site scripting (XSS), and other vulnerabilities. While SFMC does not provide a direct UI to configure security headers, you can add them manually using server-side AMPscript and JavaScript.

Steps to Add Security Headers in SFMC Cloud Pages:

1. Use HTTP Response Headers in AMPscript

AMPscript allows you to set custom security headers dynamically. You can use the HTTPResponseHeader function.

Example: Setting Security Headers

%%[

    /* Prevent Clickjacking */

    HTTPResponseHeader(“X-Frame-Options”, “SAMEORIGIN”)

    /* Enable XSS Protection */

    HTTPResponseHeader(“X-XSS-Protection”, “1; mode=block”)

    /* Prevent MIME-type sniffing */

    HTTPResponseHeader(“X-Content-Type-Options”, “nosniff”)

    /* Content Security Policy (CSP) */

    HTTPResponseHeader(“Content-Security-Policy”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://trustedsource.com; style-src ‘self’ ‘unsafe-inline’; img-src ‘self’ data:;”)

    /* Referrer Policy */

    HTTPResponseHeader(“Referrer-Policy”, “strict-origin-when-cross-origin”)

    /* Strict Transport Security (HSTS) */

    HTTPResponseHeader(“Strict-Transport-Security”, “max-age=31536000; includeSubDomains; preload”)

]%%

Where to Add the Code?
Place this AMPscript at the very top of your Cloud Page.

2. Configure Headers Using JavaScript

You can also set security headers using JavaScript if you need additional control.

Example: Using JavaScript for Additional Headers

<script>

document.addEventListener(“DOMContentLoaded”, function() {

    // Prevent Clickjacking

    if (self !== top) {

        top.location = self.location;

    }

});

</script>

 Key Security Headers & Their Purpose:

Header	Purpose
X-Frame-Options: SAMEORIGIN	Prevents embedding the page in an iframe (clickjacking protection).
X-XSS-Protection: 1; mode=block	Enables browser XSS filtering.
X-Content-Type-Options: nosniff	Prevents MIME type sniffing attacks.
Content-Security-Policy	Restricts sources for scripts, images, styles, etc.
Referrer-Policy: strict-origin-when-cross-origin	Controls referrer data exposure.
Strict-Transport-Security	Forces HTTPS connections.

Best Practices

• Always use https:// for Cloud Pages.
• Set CSP to allow only trusted domains.
• Test your Cloud Page using security scanners like Mozilla Observatory or Google Lighthouse.