One of our Marketo landing pages, calls an external API to pass some information. For this, the external API client ID and secret are placed on the landing page.
In order to secure this setup, we are planning to use IP restrictions to only allow calls from the landing page to the external server. I just wanted to confirm if we should be concerned regarding IP Spoofing? Also, any other security risks involved with this approach?
Also, will there be extra concerns to do with shared Marketo IP?
One of our Marketo landing pages, calls an external API to pass some information. For this, the external API client ID and secret are placed on the landing page.
Um, okay, no longer an API secret though as obviously anyone can read it from the webpage (the whole idea of a secret is it is not world-readable).
It's operating more like an API key in this scenario.
In order to secure this setup, we are planning to use IP restrictions to only allow calls from the landing page to the external server.
The IP address seen by the remote API will be the public IP address of the person viewing the page. How are you predicting this IP address? Are you locking this down so it can only be used from a particular external IP or subnet?
I just wanted to confirm if we should be concerned regarding IP Spoofing?
In practice, no, you don't need to worry about spoofing a (TCP) IP source address across the net, because that'll be blocked by transit routers.
Also, will there be extra concerns to do with shared Marketo IP?
The IP address of your Marketo instance will not be the source IP address of connections made by end users, so the question doesn't really make sense.
Your right. Not an API secret anymore.
Regarding, 'The IP address of your Marketo instance will not be the source IP address of connections made by end users, so the question doesn't really make sense'
Since the landing page sits on Marketo, will the source IP of the API calls made via the landing page not be from the Marketo IP? If not, is there anyother way for the API server to authenticate?
Regarding, 'The IP address of your Marketo instance will not be the source IP address of connections made by end users, so the question doesn't really make sense'
Since the landing page sits on Marketo, will the source IP of the API calls made via the landing page not be from the Marketo IP?
Of course not, the source IP is the person's external IP.
(Just like the source IP of your visits to this page, on Marketo Nation, isn't the IP address of the Jive Community server. It's your home/work IP.)
is there anyother way for the API server to authenticate?
No, because you're creating a public page, accessible to anyone, that contains credentials that can be used from anywhere.
There is no way other than filtering based on source IP address for you to make those credentials safe to expose.
Since you don't have a known set of IP addresses, filtering on source IP is impossible.
Hi Alex,
I think you have a bit of confusion.
When the 'landing page' calls the external service API, the 'landing page' is calling from the 'user's browser' using typically Javascript code. The IP address in this case is the IP address of the 'website visitor' machine. And not the IP address of Marketo server.
If your business need does not need the external service to be called from the 'landing page' but can be called from Marketo server after the form is submitted to Marketo, You can use Marketo web hook in this case. In this case, the IP address will be that of the Marketo server. And in this case, there is no security issue as all the access credentials will be in Marketo and not visible to web visitor.
Thank you Rajesh! I think we will need to explore webhooks in this case. Unfortunately, there are multiple API calls to get the data and then update info via the external APIs.
Do you have a guide that i can use? I am using the Basic Authentication(Btoa) method for the API calls.
Unfortunately, there are multiple API calls to get the data and then update info via the external APIs.
You will have to write an intermediate webhook gateway. In other words, a webhook-compatible endpoint that manages the outbound connections (perhaps in parallel) but which Marketo only connects to once.
Webhooks are stateless, they are not suitable for multi-stage processing.
Noted.
Is there any guide i can use for GET and POST calls using webhooks and Basic Authentication?
I think https://developers.marketo.com/webhooks/ would be useful.