Skip to main content

Security

Preventing Client SDKs from setting Traits

There may be use-cases where you want to prevent client-side SDKs from setting traits of users. For example, if you are setting plan=silver as a trait, and then enabling/disabling features based on that plan, a malicious user could, with a client-side SDK, update their trait to plan=gold and unlock features they have not paid for.

You can prevent this by disabling the "Allow client-side SDKs to set traits" option. This option defaults to "On". Turning it "Off" means any traits sent by client-side SDKs will be completely ignored — they will not be persisted, and they will not be used for segment evaluation. In order to set traits, you will need to use a server-side SDK and server-side Key. You can still use client-side SDKs to read flags for an identity whose traits have been set server-side.

This is a per-Environment setting.

Environment Banners

You can optionally provide a coloured banner for your environments in each Environment Settings page. This helps you identify sensitive environments before toggling flags.

Hide Sensitive Data

Enabling this feature within the Environment will return null for sensitive or unused fields in the response generated by the SDK endpoints.

/api/v1/flags

The following fields will always be Null:

  • id
  • feature.created_date
  • feature.description
  • feature.initial_value
  • feature.default_enabled
  • feature_segment
  • environment
  • identity

The response from /api/v1/flags will change from this:

[
 {
  "id": 27595,
  "feature": {
   "id": 9422,
   "name": "first_feature",
   "created_date": "2023-05-14T06:11:08.178802Z",
   "description": null,
   "initial_value": null,
   "default_enabled": false,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": 5242,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 },
 {
  "id": 27597,
  "feature": {
   "id": 9423,
   "name": "second_feature",
   "created_date": "2023-05-14T06:29:29.542708Z",
   "description": null,
   "initial_value": null,
   "default_enabled": false,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": 5242,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 }
]

To this:

[
 {
  "id": null,
  "feature": {
   "id": 9422,
   "name": "first_feature",
   "created_date": null,
   "description": null,
   "initial_value": null,
   "default_enabled": null,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": null,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 },
 {
  "id": null,
  "feature": {
   "id": 9423,
   "name": "second_feature",
   "created_date": null,
   "description": null,
   "initial_value": null,
   "default_enabled": null,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": null,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 }
]
info

All fields mentioned are not part of the response generated by the Edge API.

/api/v1/identities

The following fields will always be Null:

  • flags[].id
  • flags[].feature.created_date
  • flags[].feature.description
  • flags[].feature.initial_value
  • flags[].feature.default_enabled
  • flags[].feature_segment
  • flags[].environment
  • flags[].identity

The following field(s) will be empty

  • traits[]

The response for /api/v1/identities will change from this:

{
 "traits": [{ "id": 1, "trait_key": "key", "trait_value": "value" }],
 "flags": [
  {
   "id": 27595,
   "feature": {
    "id": 9422,
    "name": "first_feature",
    "created_date": "2023-05-14T06:11:08.178802Z",
    "description": null,
    "initial_value": null,
    "default_enabled": false,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": 5242,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  },
  {
   "id": 27597,
   "feature": {
    "id": 9423,
    "name": "second_feature",
    "created_date": "2023-05-14T06:29:29.542708Z",
    "description": null,
    "initial_value": null,
    "default_enabled": false,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": 5242,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  }
 ]
}

To this

{
 "traits": [],
 "flags": [
  {
   "id": null,
   "feature": {
    "id": 9422,
    "name": "first_feature",
    "created_date": null,
    "description": null,
    "initial_value": null,
    "default_enabled": null,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": null,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  },
  {
   "id": null,
   "feature": {
    "id": 9423,
    "name": "second_feature",
    "created_date": null,
    "description": null,
    "initial_value": null,
    "default_enabled": false,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": null,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  }
 ]
}
info

Responses generated by Edge API already excludes all the above-mentioned fields apart from traits