Can .load() support a symmetric key to not expose real write key?

[seg-leonelsanches]

One of our customers had our snippet being audited by their cybersecurity team and one of their requests was to not expose the write key externally. There are some techniques that can generate reversible hashes, like https://hapi.dev/module/iron/, that I imagine they can be used.

The main idea is, while analyzing the first argument, verify whether the argument is on a certain pattern. If it is, unseal the payload using the corresponding algorithm, and store the decrypted write key in browser's memory.

Is it possible to do it?

Please let me know if more information is required.

[silesky]

Hey @seg-leonelsanches,

This wouldn't work, because, in the end, you're sending the unencrypted write key as an HTTP request as part of the event -- if the unencrypted write key is ever in browser memory, you just have to assume its accessible / sniffable. It doesn't stop anyone from sending garbage data to the endpoint or a script from scraping the writeKey. In client-side SDKs, our write keys are not treated as sensitive or private information.

If you need to conceal the write key, I would recommend using the edge-sdk (which has redacted write keys), or using a standard server-side SDK.