Skip to main content

Security

Preventing Client SDKS from setting Traits

There may be use-cases where you want to prevent client-side SDKs from setting traits of users. For example, if you are setting plan=silver as a trait, and then enabling/disabling features based on that plan, a malicious user could, with a client-side SDK, update their trait to plan=gold and unlock features they have not paid for.

You can prevent this by disabling the "Allow client SDKs to set user traits" option. This option defaults to "On". Turning it "Off" will not allow client-side SDKs to write Traits to Flagsmith. In order to write traits, you will need to use a server-side SDK and server-side Key.

This is a per-Environment setting.

Environment Banners

You can optionally provide a coloured banner for your Environments in each Environment Settings page. This helps you identify sensitive Environments before toggling Flags.

Hide Sensitive Data

Enabling this feature within the Environment will return null for sensitive or unused fields in the response generated by the SDK endpoints.

/api/v1/flags

The following fields will always be Null:

  • id
  • feature.created_date
  • feature.description
  • feature.initial_value
  • feature.default_enabled
  • feature_segment
  • environment
  • identity

The response from /api/v1/flags will change from this:

[
 {
  "id": 27595,
  "feature": {
   "id": 9422,
   "name": "first_feature",
   "created_date": "2023-05-14T06:11:08.178802Z",
   "description": null,
   "initial_value": null,
   "default_enabled": false,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": 5242,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 },
 {
  "id": 27597,
  "feature": {
   "id": 9423,
   "name": "second_feature",
   "created_date": "2023-05-14T06:29:29.542708Z",
   "description": null,
   "initial_value": null,
   "default_enabled": false,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": 5242,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 }
]

To this:

[
 {
  "id": null,
  "feature": {
   "id": 9422,
   "name": "first_feature",
   "created_date": null,
   "description": null,
   "initial_value": null,
   "default_enabled": null,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": null,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 },
 {
  "id": null,
  "feature": {
   "id": 9423,
   "name": "second_feature",
   "created_date": null,
   "description": null,
   "initial_value": null,
   "default_enabled": null,
   "type": "STANDARD"
  },
  "feature_state_value": null,
  "environment": null,
  "identity": null,
  "feature_segment": null,
  "enabled": false
 }
]
info

All fields mentioned are not part of the response generated by the Edge API.

/api/v1/identities

The following fields will always be Null:

  • flags[].id
  • flags[].feature.created_date
  • flags[].feature.description
  • flags[].feature.initial_value
  • flags[].feature.default_enabled
  • flags[].feature_segment
  • flags[].environment
  • flags[].identity

The following field(s) will be empty

  • traits[]

The response for /api/v1/identities will change from this:

{
 "traits": [{ "id": 1, "trait_key": "key", "trait_value": "value" }],
 "flags": [
  {
   "id": 27595,
   "feature": {
    "id": 9422,
    "name": "first_feature",
    "created_date": "2023-05-14T06:11:08.178802Z",
    "description": null,
    "initial_value": null,
    "default_enabled": false,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": 5242,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  },
  {
   "id": 27597,
   "feature": {
    "id": 9423,
    "name": "second_feature",
    "created_date": "2023-05-14T06:29:29.542708Z",
    "description": null,
    "initial_value": null,
    "default_enabled": false,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": 5242,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  }
 ]
}

To this

{
 "traits": [],
 "flags": [
  {
   "id": null,
   "feature": {
    "id": 9422,
    "name": "first_feature",
    "created_date": null,
    "description": null,
    "initial_value": null,
    "default_enabled": null,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": null,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  },
  {
   "id": null,
   "feature": {
    "id": 9423,
    "name": "second_feature",
    "created_date": null,
    "description": null,
    "initial_value": null,
    "default_enabled": false,
    "type": "STANDARD"
   },
   "feature_state_value": null,
   "environment": null,
   "identity": null,
   "feature_segment": null,
   "enabled": false
  }
 ]
}
info

Responses generated by Edge API already excludes all the above-mentioned fields apart from traits