Which data is the client exposed to?
Trying to figure out which data exactly the client (e.g. Javascript sdk) is exposed to and the overview page doesn't provide enough information.
The concern is two-fold: 1) A client can get any segment and feature flag in the system since it's easy to pass in a different customer id, 2) the rules themselves could expose sensitive information like if we whitelist special users or accounts, this would be visible to other clients and might make them a target for hackers.
Am I missing something or is this just a system limitation?
-
For the Javascript (and mobile) SDK the client only gets the segments and whitelists for the key passed to Split when you instantiate the SDK. And that information will only go to the client if you pass a known user ID, since an anonymous user will obviously not be included as part of a specific rule. The client does not see any information for segments to which they do not belong or the keys for other accounts or users for those segments to which they do belong.
dave
Please sign in to leave a comment.
Comments
3 comments