SSL at Braze
A secure socket layer (SSL) encrypts a URL with HTTPS instead of HTTP. HTTPS indicates that a valid and trusted SSL or TLS certificate exists and that the website is safe to visit.
Why is SSL important?
Most domains do not require SSL, but Braze strongly recommends using SSL for these reasons.
Securing your website and links with SSL is a common practice even for companies that don’t deal directly with sensitive customer information. Users are more trusting of links that are secured with SSL, and the additional layer of authentication helps protect your data.
Necessary for click and open tracking
Braze transforms your links using your branded link tracking subdomain to track clicks and opens. By default these links begin with HTTP. Users with browsers or extensions that restrict non-secure traffic may have difficulty passing through the redirect before the destination URL, even if the URL is secure. This can cause broken images and inaccurate tracking. Apply SSL to the link tracking subdomain to confirm secure redirects.
Requirements
Browser
Major browsers such as Google Chrome restrict traffic through non-secure URLs to protect users. Using SSL helps confirm that content is trusted and minimizes issues like broken links and images in emails.
HSTS domains
If you have an HTTP Strict Transport Security (HSTS) domain, set up SSL and configure a CDN to send required security certificates. Without SSL, image and web links break.
Acquire an SSL certificate
Acquire an SSL certificate through a third party, usually a Content Delivery Network (CDN). A CDN hosts the certificate and serves it to the browser when a user clicks a link by redirecting traffic through the CDN to apply certificates before sending it to SendGrid or SparkPost.
To start SSL setup, contact your Braze customer success manager to initiate a full Braze email setup.
After Braze initiates setup, follow these steps:
- Braze will provide DNS records to add to your domain registry.
- Braze will verify if records have been added to your registry correctly.
- After this, select a CDN and obtain SSL certificates from a third-party provider.
- At this point, you set up your CDN. Note that Braze cannot help troubleshoot CDN configuration. Contact your CDN provider for any further assistance.
- Contact your customer success manager to get SSL turned on.
What is a CDN, and why do I need it?
A content delivery network (CDN) is a platform of servers that helps ensure quick load times of content across multiple mediums while also handling security certificates.
CDN configuration always follows after getting your DNS records validated by Braze. If you have not yet initiated this step, contact your customer success manager for more information on how to get started.
For click and open tracking, delivery partners transform links using a branded subdomain and the CDN applies the SSL certificate to those transformed links. Partners often must present valid certificates to the recipient’s browser for links and images to display correctly. Because Braze doesn’t request or manage certificates, you must set this up through a CDN.
Additional resources
For troubleshooting your CDN configuration, contact your CDN provider or see Troubleshooting for generic guidance.
Refer to the following resources by ESP partners on how to configure certain CDNs. While your specific CDN may not be listed, you must make sure your CDN has the ability to apply SSL certificates.
When you configure your CDN’s click-tracking domain, enable the X-Forwarded-Host header to prevent potential security issues such as host header attacks. Refer to CDN documentation or your support team for steps.
| Partner | CDN | Documentation |
|---|---|---|
| Amazon SES | AWS CloudFront | Using HTTPS with CloudFront |
| Amazon SES | CloudFlare | Get started with SSL/TLS |
| Amazon SES | Fastly | Setting up TLS with certificates Fastly manages |
| Amazon SES | KeyCDN | How to set up custom SSL |
| Amazon SES | Google Cloud | Google-managed SSL certificates |
| SendGrid | AWS CloudFront | How to configure SSL for click tracking using CloudFront |
| SendGrid | CloudFlare | Using CloudFlare |
| SendGrid | Fastly | Using Fastly |
| SendGrid | KeyCDN | Using KeyCDN |
| SparkPost | AWS CloudFront | Step-by-step guide with AWS CloudFront |
| SparkPost | CloudFlare | Step-by-step guide with Cloudflare |
| SparkPost | Fastly | Step-by-step guide with Fastly |
| SparkPost | Google Cloud Platform | Step-by-step guide with Google Cloud Platform |
| SparkPost | Microsoft Azure | Step-by-step guide with Microsoft Azure |
Amazon SES
If you are using Amazon SES as your ESP, refer to Option 2: Configuring an HTTPS domain in Amazon SES’s documentation and specify the AWS tracking domain by region based on your Braze cluster:
- Braze US clusters:
r.us-east-1.awstrack.me - Braze EU clusters:
r.eu-central-1.awstrack.me
When you configure your CDN’s click-tracking domain, enable the X-Forwarded-Host header to prevent potential security issues such as host header attacks. Refer to your CDN provider for steps.
Troubleshooting
While you should handle CDN configuration, certificates, and proxy issues with your CDN, use these tips to identify common SSL click tracking issues. For troubleshooting guidance, refer to Troubleshooting.