Which data is the client exposed to?

Follow

Alex Badyan

• January 24, 2021 10:06

Trying to figure out which data exactly the client (e.g. Javascript sdk) is exposed to and the overview page doesn't provide enough information.

The concern is two-fold: 1) A client can get any segment and feature flag in the system since it's easy to pass in a different customer id, 2) the rules themselves could expose sensitive information like if we whitelist special users or accounts, this would be visible to other clients and might make them a target for hackers.

Am I missing something or is this just a system limitation?

0

• 

  Dave Murphy

  • January 25, 2021 15:33

  For the Javascript (and mobile) SDK the client only gets the segments and whitelists for the key passed to Split when you instantiate the SDK.  And that information will only go to the client if you pass a known user ID, since an anonymous user will obviously not be included as part of a specific rule.  The client does not see any information for segments to which they do not belong or the keys for other accounts or users for those segments to which they do belong.  

  dave

  0

  Comment actions Permalink
• 

  Alex Badyan

  • January 26, 2021 09:10

  Right, so this assumes that customer ids are hard to guess, that they are some sort of random string, am I correct?

  0

  Comment actions Permalink
• 

  Dave Murphy

  • January 26, 2021 15:59

  That's usually the case.  What you pass as a key is entirely up to you.  You could set a cookie, use a GUID that is created as a customer ID, pass a device ID if on mobile, an account/company ID if appropriate.  You could even pass a random, hashed ID, depending on your needs.

  0

  Comment actions Permalink

Please sign in to leave a comment.