---
url: https://talkjs.com/docs/Features/Security
---

# Security recommendations

Ask a question Copy for LLM [View as Markdown](/docs/Features/Security.md)
This page details several steps that you can take to keep your chat and user data secure.

## Enable authentication (identity verification)

Secure your TalkJS chat by [setting up and enabling authentication (identity verification)](/docs/Features/Security/Authentication/). With authentication, nobody can connect to your TalkJS chats without providing a valid authentication token that was generated and digitally signed by your backend.

Always enable authentication on any live service. Authentication keeps your user data secure, by ensuring that only legitimate users can connect to your chat.

## Use hard-to-predict conversation IDs

If your conversation IDs may be easy to predict, we suggest that you [hash them with a secret](/docs/Concepts/Conversations/#securing-the-conversation) so they can't be joined by strangers. Alternatively, [disable browser synchronization altogether](/docs/Features/Security/Browser_Synchronization/) and synchronize all data via the REST API.

## Verify webhook integrity

We recommend you verify the authenticity of webhook events sent to your webhook endpoint. Each TalkJS [webhook](/docs/Webhooks/) event is sent with the `X-TalkJS-Signature` and `X-TalkJS-Timestamp` header fields; these can be used along with your secret key marked as "use for webhooks" to verify the integrity and authenticity of TalkJS webhook events by checking the signature as shown below (pseudocode):

```javascript
received_signature = header['X-TalkJS-Signature'];
timestamp = header['X-TalkJS-Timestamp'];

// The raw_post_body MUST be the full byte-for-byte HTTP POST body
payload = timestamp + '.' + raw_post_body;
// Generate a HMAC-SHA256 signature of the payload. The result should be encoded as uppercase hexadecimal characters (A-Z0-9).
valid_signature = HMAC_SHA256(your_secret_key, payload);

if (valid_signature === received_signature) {
  // Authentic webhook request
  // do something with the event
} else {
  // The integrity check failed, discard the event
}
```

## Use a Content Security Policy

Content Security Policy (CSP) is a security layer that helps to detect and protect against certain types of attacks like XSS or clickjacking. If you want to secure your application, which we recommend, then please follow the instructions presented on [Content Security Policy](/docs/Features/Security/Content_Security_Policy/).