Share
ReportHi,
Hoping someone can provide some information for below
We are developing External accessed Website hosted in Azure App service, and we have requirement to track one page visit in to Dynamics 365. We have created a custom trigger in Dynamics 365 by following the steps at https://learn.microsoft.com/en-us/dynamics365/customer-insights/journeys/real-time-marketing-custom-triggers
We have placed this code snippet on to external page which works fine, but the security implications we have is about the Ingestion Key
As per MS
/ The code snippet that is provided with the trigger contains an ingestion key that uniquely identifies the Customer Insights - Journeys instance. An attacker with access to the ingestion key could possibly send spurious triggers that can trigger unintended customer journeys.
It's a good practice to:
Protect the ingestion key wherever possible.
Limit the use of attributes in custom triggers, especially when those attributes can be used to personalize content and act as potential attack vectors such as cross-site scripting.
Hoping someone can provide some information for below
We are developing External accessed Website hosted in Azure App service, and we have requirement to track one page visit in to Dynamics 365. We have created a custom trigger in Dynamics 365 by following the steps at https://learn.microsoft.com/en-us/dynamics365/customer-insights/journeys/real-time-marketing-custom-triggers
We have placed this code snippet on to external page which works fine, but the security implications we have is about the Ingestion Key
As per MS
/ The code snippet that is provided with the trigger contains an ingestion key that uniquely identifies the Customer Insights - Journeys instance. An attacker with access to the ingestion key could possibly send spurious triggers that can trigger unintended customer journeys.
It's a good practice to:
Protect the ingestion key wherever possible.
Limit the use of attributes in custom triggers, especially when those attributes can be used to personalize content and act as potential attack vectors such as cross-site scripting.
We are not sure how this Ingestion key can be hidden, the call is made from website by client and they can clearly see this unique Ingestion key on page when they go to view source
All responses (
Answers (
671
