• HOME
  • INTEGRATIONS
  • SDKS
  • GUIDES
  • API DOCS
No results for ""
EXPAND ALL
launchdarkly.com

EDIT ON GITHUB

Secure mode

Read time: 1 minute
Last edited: Jun 18, 2021

Overview

This topic explains how to use the secure mode feature for safely evaluating feature flags in your web browser.

Using secure mode

Secure mode ensures that users' feature flag evaluations are kept private in web browser environments, and that one user cannot inspect the variations for another user. Secure mode works by having you configure your JavaScript SDK to include a server-generated HMAC SHA256 hash of your user key, signed with the SDK key for your environment.

Each of our server-side SDKs includes a method to compute the secure mode hash for a user. You can pass this to your front-end code with the mechanism of your choice, such as bootstrapping or as a template variable.

You can enable secure mode for each environment on your account settings page.

Generating a secure mode hash

You can use the following server-side SDKs to generate a secure mode hash:

  • .NET
  • Go
  • Java
  • Node.js (server-side)
  • PHP
  • Python
  • Ruby

.NET

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1var hash = ldClient.SecureModeHash(user);

Go

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1ldClient.SecureModeHash(user)

Java

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1ldClient.secureModeHash(user);

Node.js (server-side)

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1ldClient.secureModeHash(user);

PHP

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1$client->secureModeHash(user);

Python

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1hash = ldclient.get().secure_mode_hash(user)

Ruby

The secure_mode_hash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

1ld_client.secure_mode_hash(user)

Computing the hash manually

Alternatively, you can compute the hash yourself.

To compute the hash yourself, locate the SDK key for your environment on your account settings page. Then, compute an HMAC SHA256 hash of your user key, using your SDK key as a secret.

Here's an example that uses Node.js:

1var crypto = require('crypto');
2var hmac = crypto.createHmac('sha256', 'YOUR_SDK_KEY');
3hmac.update('YOUR_USER_KEY');
4hash = hmac.digest('hex');

Configuring secure mode in the JavaScript client-side SDK

You should send the computed secure mode hash for your user as the hash attribute in the LDOptions object during client initialization:

1var ldclient = LDClient.initialize('YOUR_CLIENT_SIDE_ID', user, options = {
2 hash: "SERVER_GENERATED_HASH"
3});