The widget uses JWT tokens for authentication:
config: {
apiBaseUrl: 'https://api.example.com',
tenantId: 'tenant-123',
authToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...',
}Best Practices:
- Tokens should be short-lived (recommended: 1 hour)
- Tokens should be renewed before expiration
- Never log or expose tokens in console
- Use HTTPS for all API communications
The widget respects CORS headers from the orchestrator:
- Only requests to configured
apiBaseUrlare allowed - CORS errors should be handled gracefully
- Preflight requests are automatically handled
Input Sanitization:
- All user input is sanitized before display
- Angular's built-in sanitization is used
- HTML in messages is sanitized
- No inline JavaScript execution
Output Encoding:
// Safe: Angular automatically escapes
{{ userInput }}
// For trusted content, use sanitization
[innerHTML]="sanitize(content)"No PII Storage:
- No PII stored in localStorage
- No PII stored in sessionStorage
- All PII is stored in-memory only
- Session data is cleared on close
Sensitive Data Masking:
- Sensitive fields are automatically masked in transcript
- Masking is done client-side for display
- Server receives unmasked data (if required)
POST requests include idempotency keys:
headers.set('Idempotency-Key', idempotencyService.generateKey());This prevents:
- Duplicate submissions
- Race conditions
- Accidental re-submissions
When embedding the widget, ensure CSP headers allow:
Content-Security-Policy:
script-src 'self' https://cdn.example.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.example.com wss://api.example.com;
- JWT tokens are validated on server
- CORS is properly configured
- HTTPS is used for all communications
- User input is sanitized
- No XSS vulnerabilities
- No PII in localStorage
- Idempotency keys are unique
- Dependencies are up-to-date (no vulnerabilities)
- CSP headers are configured
- Error messages don't expose sensitive information
Regularly scan for vulnerabilities:
npm audit
npm audit fixIf you discover a security vulnerability:
- DO NOT open a public issue
- Email: security@example.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Validate JWT tokens on the server
- Use HTTPS for all communications
- Configure CORS properly
- Sanitize input on the server as well
- Monitor for suspicious activity
- Keep dependencies up-to-date
- Never commit tokens or secrets
- Use environment variables for sensitive config
- Sanitize all user input
- Validate all server responses
- Handle errors gracefully (no sensitive info in errors)
- Review code for security issues
- Test for XSS and injection vulnerabilities
- WebSocket URLs should use
wss://(secure WebSocket) - Validate WebSocket origin on server
- Implement rate limiting for WebSocket connections
- Validate file types and sizes
- Scan uploads for malware
- Store uploads securely
- Don't execute uploaded files
- Voice recordings may contain sensitive information
- Ensure secure transmission (wss://)
- Clear recordings after processing
- Comply with data privacy regulations