Security Recommendations
One of the most important ways to secure the identity of your user is Identity Verification. We describe it here.
If your conversation IDs may be easy to predict, we suggest that you hash them with a secret so they can't be joined by strangers. Alternatively, disable browser synchronization altogether and synchronize all data via the REST API.
We recommend you verify the authenticity of webhook events sent to your webhook endpoint. Each TalkJS webhook event is sent with the X-TalkJS-Signature
and X-TalkJS-Timestamp
header fields; these can be used along with your secret key to verify the integrity and authenticity of TalkJS webhook events by checking the signature as shown below (pseudocode):
1received_signature = header['X-TalkJS-Signature'];2timestamp = header['X-TalkJS-Timestamp'];34// The raw_post_body MUST be the full byte-for-byte HTTP POST body5payload = timestamp + '.' + raw_post_body;6// Generate a HMAC-SHA256 signature of the payload. The result should be encoded as uppercase hexadecimal characters (A-Z0-9).7valid_signature = HMAC_SHA256(your_secret_key, payload);89if (valid_signature === received_signature) {10 // Authentic webhook request11 // do something with the event12} else {13 // The integrity check failed, discard the event14}
Content Security Policy (CSP) is a security layer that helps to detect and protect against certain types of attacks like XSS or clickjacking. If you want to secure your application, which we recommend, then please follow the instructions presented on Content Security Policy.