Leverage Inheritance Property of CloudPagesURL Function

Enhance security and efficiency across your SFMC web implementations.

Leverage Inheritance Property of CloudPagesURL Function
Photo by Jeong Yejune / Unsplash
Author: Brad Sapkota


Security is the utmost requirement today across startups and enterprises — customers implicitly trust companies to protect their digital identity and respect privacy.

CloudPages combines the power of a web application while integrating various Salesforce Marketing Cloud apps to enable targeted marketing content for customers across multiple channels.

One of the most significant properties during CloudPages implementation (like marketing preference centressurveyslead capture forms, etc) is the ability to encrypt the URL parameters using the CloudPagesURL function.

The function essentially generates a hashed query string qs such as https://cloud.sfmc.altus.digital/fake-page?qs=51da518008b5abe3b6c18385407caf5e3c223740fae96889735d126d4a5bb63e8b8cd2336145e1f6


In a recent development, I leveraged the inheritance property of CloudPages using CloudPagesURLfunction to access the system/personalisation strings (such as _subscriberkeyemailaddrmemberidjobid and more) in a JavaScript (JS) code resource that acted as the server-side processing page.

The diagram below simply illustrates the query string (qs) inheritance starting from the source email [A] where it redirects to the main landing page [B] using the CloudPagesURL function.

Following the hierarchy from the main landing page [A], when accessing the supplementary pages like JS Code Resource [C] or a second landing page [D], these pages will retain the encrypted query strings (qs=51da5180008b5a...)

In fact, the inheritance of the system strings will follow for any level like in the third landing page [E], as long as the original qs is retained from the source page (main landing page) [B].

Inheritance Hierarchy in CloudPages using CloudPagesURL function
The inheritance seems to work for system strings, however, for any custom parameter, it will need to be explicitly declared and passed on the target page.

Now let’s talk about some of the efficiencies and anomalies of this property and how this could benefit us during the web implementations in SFMC.

a) Security

Most security breaches and exploits are the results of inferior code implementations such as embedding the Personal Identifiable Information (PII) within the HTML DOM or concatenating the URL parameters with susceptible data in plaintext format.

This allows someone to alter the HTML DOM or URL parameters with the intent to swap their email address in the integrated system like All Subscribers in SFMC leading notifications to route to a new email address.

Amazingly, the CloudPagesURL function hashes the personalisation/system strings and custom parameters into a query string(qs=51da5180008b5a...which is known to be encrypted and can only be decrypted in the dedicated SFMC Org.

While there is no official record of the algorithm used in the encryption, a StackExchange post suggests the 3DES algorithm (leave a comment if you have more insight).

Alternatively, if external integrations are involved then you can try functions like EncryptSymmetric to encrypt and DecryptSymmetric to decrypt with specified algorithms and qualifiers — some relevant solutions include:

b) Cross-BU Support (Experimental)

The CloudPagesURL function (%%=CloudPagesURL(pageID)=%%) only has the ability to render the CloudPages URL based on the page ID of native BU — using a page ID from a different BU results in an error.

During my testing, I uncovered that the hashed query string(qs=51da5180008b5a...when appended into CloudPages from a different BU within the same SFMC Enterprise Account, has the potential to decrypt.

  • Business Unit A (rendered CloudPages URL): https://cloud.sfmc.altus.digital/pageA?qs=51da518008b5a…
  • Business Unit B (same qs but different BU): https://cloud.sfmc.altus.digital/pageB?qs=51da518008b5a…

Based on this observation, it seems like the SFMC Enterprise Account including its business units (BU) uses the same algorithm and encryption keys allowing cross-BU support for the decryption of the hashed query strings (qs=51da5180008b5a...)

Disclaimer: While there is no official record for cross-BU support of the CloudPagesURL function, you’re solely responsible for the risks/defects of this experimental feature.

c) AtrributeValue

The lesser-known AttributeValue property provides remarkable efficiency in accessing the data values of the sendable data extension linked to that specific email job.

Upon the completion of the email job, it seems like the CloudPagesURL function takes a snapshot of the values of attributes from the sendable data extension along with system/personalization strings and hashes it to the query strings (qs).

With standard data schema in campaigns, this becomes convenient in CloudPages as it removes the need for explicitly declaring the parameters in the CloudPagesURL function or lookups to its sendable data extension.

In fact, the AttributeValue property is also supported in linked CloudPages due to its inheritance property.

d) System/Personalisation Strings

Another underrated feature is the availability of diverse system-based data from the hashed query string (qs) which makes it efficient to use across web implementations — system-based personalization strings are based on the context of the SubscriberContact or Message.

StackExchange post from Adam Spriggs has categorically summarised it as


Lastly, I wanted to mention some quirks with the CloudPagesURL function that I have come across during development:

  • The CloudPagesURL function is native to AMPScript programmatic language, thus you’ll need to leverage TreatAsContent for SSJS implementations.
  • The CloudPagesUrl function fails to provide full encrypted parameters for those contacts that don’t exist in the All Subscribers list in SFMC (reference).
  • Ensure you’re always wrapping the CloudPagesURL function with RedirectTo in HTML emails within the href attribute of an anchor tag (%%=RedirectTo(CloudPagesURL(7777))=%%) for link tracking purposes.