Landing pages are a great communication and marketing tool that allows you to seamlessly extend your Engage messaging campaigns onto the web.

When you create landing pages, security is a top priority. Your landing pages should be as secure and as trustworthy as your main website. After all, the purpose of a landing page is usually to collect more data about your customers. You want this data to be as secure as possible.

Landing page security is important to your contacts, too. Communicating that your site is safe and secure is crucial. Your customers will only share their personal data and preferences with you when they are confident that your site really belongs to you, and that the data they give you is secure. A secure landing page creates a sense of trust. As a result, your customers can feel confident when they interact with your landing pages and enter data on your web forms.

When you create and host your landing pages with Mapp, you can rest assured that we have several security mechanisms in place to keep your landing pages secure. Engage offers several security settings that make your landing pages appear and function even more securely.

Secure Landing Pages with HTTPS and Transport Layer Security ​

If you use your own dedicated and secure domain with Engage, you can create secure HTTPS landing pages. The URL is constructed with HTTPS rather than HTTP. For example, when you create an email message in Engage and add links to your landing pages with the Engage Variable, the links are secure HTTPS links.

HTTPS connections are secured with TLS (Transport Layer Security ) or with its earlier version, SSL (Secure Sockets Layer). At Mapp, we use TLS to secure your landing page. TLS is the most commonly used encryption for web pages and email transfer.

TLS has two functions: encryption and authentication.

  • TLS is used to securely transfer your data between Engage and the landing page. Your data is encrypted to protect against unauthorized access. This means that no one can "eavesdrop" on your data transfer or interEngaget the data of your contacts.

  • TLS also includes a security certificate that authenticates and confirms the identity of your landing page. When this certificate is in place, most browsers display a green lock or in the browser bar to reassure website visitors that the identity of the website is confirmed. When your contacts see this symbol, they know that they can safely enter data on your landing page.

To use this feature, you must have your own dedicated and secure domain for use with Engage.

iframe Protection for Landing Pages​

Engage blocks your landing pages from appearing in iframes on third-party domains. An iframe is an HTML element that adds content to a website or landing page. Engage prevents malicious third parties from displaying your landing page in an iframe on a different website.

This security setting is designed for protection against clickjacking. Clickjacking tricks your customers into clicking links or entering information on a website that appears to be from you, but that is actually controlled by hackers.

Talk to your customer representative if you want to make sure that your landing pages have protection from iframing.

Block External Scripts on Landing Pages ​

This security setting provides protection against cross-site scripting (XSS) on landing pages. With this feature, your landing page can only contain scripts that come from your own domain. External scripts are blocked on landing pages. Technically, this is done by setting a Content Security Policy header on the landing page.

This security setting is optional but recommended. This feature allows you to be more restrictive about which scripts are allowed on landing pages. Contact your customer representative for more information.

Whitelist for Trusted Domains​

With this security setting, the Engage system checks the redirection of requests sent within or from landing pages against an internal whitelist of domains. Form data is only sent to whitelisted domains. This ensures that your form data cannot be sent to any other domain.