IP Spoofing

One of our Marketo landing pages, calls an external API to pass some information. For this, the external API client ID and secret are placed on the landing page.

Um, okay, no longer an API secret though as obviously anyone can read it from the webpage (the whole idea of a secret is it is not world-readable).

It's operating more like an API key in this scenario.

In order to secure this setup, we are planning to use IP restrictions to only allow calls from the landing page to the external server.

The IP address seen by the remote API will be the public IP address of the person viewing the page. How are you predicting this IP address? Are you locking this down so it can only be used from a particular external IP or subnet?

I just wanted to confirm if we should be concerned regarding IP Spoofing?

In practice, no, you don't need to worry about spoofing a (TCP) IP source address across the net, because that'll be blocked by transit routers.

Also, will there be extra concerns to do with shared Marketo IP?

The IP address of your Marketo instance will not be the source IP address of connections made by end users, so the question doesn't really make sense.

Hi Alex,

Do you mean to use 'landing page domain' based restriction instead of the IP address of the visitor?

Thus the service would allow a web page to use the service only if the web page is on your website(s). If someone else copies the 'access credentials' and create web page on their domain, the service should reject the request. The unauthorized person would not be able to host their landing page on your domain(s). 

Hope this helps...

If @Sanford Whiteman‌ hasn't made it clear, this is a bad idea entirely.

The discussion has been very abstract. Right now you're getting very specific answers to your questions, but are left with many choices to make. To get more useful ideas, it might be helpful to explain your overall goal in simple terms so that we can help propose a workable solution.