Secure mode

Overview

This topic explains how to use the secure mode feature to safely evaluate feature flags in your web browser.

Using secure mode

Secure mode ensures that users' feature flag evaluations are kept private in web browser environments, and that one user cannot inspect the variations for another user. On an insecure device, a malicious user could use a user key to identify what flag values a user receives by analyzing the results of multiple flag evaluations. Secure mode prevents you from doing an evaluation for a user key that hasn't been signed on the back end.

Secure mode works by having you configure your JavaScript SDK to include a server-generated HMAC SHA256 hash of your user key. This hash is signed with the SDK key for your environment.

Each of our server-side SDKs includes a method to compute the secure mode hash for a user. You can pass this to your front-end code with the mechanism of your choice, such as bootstrapping or as a template variable.

You can enable secure mode for each environment in your LaunchDarkly account's Account Settings. Secure mode is an environment-wide setting. Enabling it requires every request coming from a client-side JavaScript SDK to contact the back end to evaluate flag variations. You can enable secure mode for your environment even if you're also using mobile SDKs that don't support it. Enabling secure mode does not cause those SDKs to fail.

Generating a secure mode hash

You can use the following server-side SDKs to generate a secure mode hash:

• .NET (server-side)
• Go
• Java
• Node.js (server-side)
• PHP
• Python
• Ruby
• Rust

.NET (server-side)

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

var hash = client.SecureModeHash(user);
COPY

Go

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.SecureModeHash(user)
COPY

Java

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secureModeHash(user);
COPY

Node.js (server-side)

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secureModeHash(user);
COPY

PHP

The secureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

$client->secureModeHash(user);
COPY

Python

The SecureModeHash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

hash = ldclient.get().secure_mode_hash(user)
COPY

Ruby

The secure_mode_hash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secure_mode_hash(user)
COPY

Rust

The secure_mode_hash method computes an HMAC signature of a user signed with the client's SDK key.

Here is the method:

client.secure_mode_hash(&user);
COPY

Computing the hash manually

Alternatively, you can compute the hash yourself.

To compute the hash yourself, locate the SDK key for your environment on your account settings page. Then, compute an HMAC SHA256 hash of your user key, using your SDK key as a secret.

Here's an example that uses Node.js:

var crypto = require('crypto');
var hmac = crypto.createHmac('sha256', 'YOUR_SDK_KEY');
hmac.update('YOUR_USER_KEY');
hash = hmac.digest('hex');
COPY

Configuring secure mode in the JavaScript client-side SDK

You should send the computed secure mode hash for your user as the hash attribute in the LDOptions object during client initialization and as the hash parameter if subsequently identifying new user contexts:

var client = LDClient.initialize('YOUR_CLIENT_SIDE_ID', user, options = {
  hash: "SERVER_GENERATED_HASH"
});
COPY

To use secure mode, user objects must contain a predefined key attribute. Secure mode is not compatible with the SDK's ability to automatically generate user keys for anonymous users because the SDK needs a correctly calculated hash value.