• Home
  • Integrations
  • SDKs
  • Guides
  • API docs
No results for ""
EXPAND ALL

EDIT ON GITHUB

Secure mode

Read time: 2 minutes
Last edited: Jan 25, 2022

Overview

This topic explains how to use the secure mode feature to safely evaluate feature flags in your web browser.

Using secure mode

Secure mode ensures that users' feature flag evaluations are kept private in web browser environments, and that one user cannot inspect the variations for another user. On an insecure device, a malicious user could use a user key to identify what flag values a user receives by analyzing the results of multiple flag evaluations. Secure mode prevents you from doing an evaluation for a user key that hasn't been signed on the back end.

Secure mode works by having you configure your JavaScript SDK to include a server-generated HMAC SHA256 hash of your user key. This hash is signed with the SDK key for your environment.

Each of our server-side SDKs includes a method to compute the secure mode hash for a user. You can pass this to your front-end code with the mechanism of your choice, such as bootstrapping or as a template variable.

You can enable secure mode for each environment in your LaunchDarkly account's Account Settings. Secure mode is an environment-wide setting. Enabling it requires every request coming from a client-side JavaScript SDK to contact the back end to evaluate flag variations. You can enable secure mode for your environment even if you're also using mobile SDKs that don't support it. Enabling secure mode does not cause those SDKs to fail.

Enable secure mode during initial setup

You can enable secure mode at any time when you use LaunchDarkly SDKs. As a best practice, we recommend that you enable secure mode during initial SDK configuration, because late-stage changes to your SDK configuration may have negative interactions with other settings.

Generating a secure mode hash

You can use the following server-side SDKs to generate a secure mode hash:

  • .NET (server-side)
  • Go
  • Java
  • Node.js (server-side)
  • PHP
  • Python
  • Ruby
  • Rust

.NET (server-side)

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

var hash = client.SecureModeHash(user);

Go

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.SecureModeHash(user)

Java

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secureModeHash(user);

Node.js (server-side)

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secureModeHash(user);

PHP

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

$client->secureModeHash(user);

Python

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

hash = ldclient.get().secure_mode_hash(user)

Ruby

The secure_mode_hash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secure_mode_hash(user)

Rust

The secure_mode_hash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secure_mode_hash(&user);

Computing the hash manually

Alternatively, you can compute the hash yourself.

To compute the hash yourself, locate the SDK key for your environment on your account settings page. Then, compute an HMAC SHA256 hash of your user key, using your SDK key as a secret.

Here's an example that uses Node.js:

var crypto = require('crypto');
var hmac = crypto.createHmac('sha256', 'YOUR_SDK_KEY');
hmac.update('YOUR_USER_KEY');
hash = hmac.digest('hex');

Configuring secure mode in the JavaScript client-side SDK

You should send the computed secure mode hash for your user as the hash attribute in the LDOptions object during client initialization and as the hash parameter if subsequently identifying new user contexts:

var client = LDClient.initialize('YOUR_CLIENT_SIDE_ID', user, options = {
hash: "SERVER_GENERATED_HASH"
});

To use secure mode, user objects must contain a predefined key attribute. Secure mode is not compatible with the SDK's ability to automatically generate user keys for anonymous users because the SDK needs a correctly calculated hash value.