Multi-layered security protects your widget, customer data, and hosting website. Content Security Policy blocks XSS. Subresource Integrity prevents tampering. Rate limiting stops abuse. Sandboxing isolates widget code. Security headers defend against common attacks.
Security isn't optional. Widget code runs on your customer-facing pages with access to sensitive interactions. Our defense-in-depth approach layers multiple protections, ensuring security even if one layer is bypassed.
CSP headers specify which sources can load scripts, styles, images, fonts, and other resources:
eval and similar dangerous constructs are forbiddenCSP prevents 90%+ of XSS vulnerabilities by default.
Every widget asset (JavaScript, CSS) is served with a cryptographic hash. Browsers verify the hash before executing code. If an attacker compromises your CDN or intercepts traffic, the hash won't match — browsers refuse to load the tampered resource.
The widget runs in an isolated JavaScript module scope with limited access to the parent page:
localStorage or sessionStorage from the hostEven if widget code is compromised, damage is contained.
Security architecture supports compliance with: