Security
Preventing Client SDKS from setting Traits
There may be use-cases where you want to prevent client-side SDKs from setting traits of users. For example, if you are
setting plan=silver
as a trait, and then enabling/disabling features based on that plan, a malicious user could, with
a client-side SDK, update their trait to plan=gold
and unlock features they have not paid for.
You can prevent this by disabling the "Allow client SDKs to set user traits" option. This option defaults to "On". Turning it "Off" will not allow client-side SDKs to write Traits to Flagsmith. In order to write traits, you will need to use a server-side SDK and server-side Key.
This is a per-Environment setting.
Audit Logs
Every action taken within the Flagsmith administration application is tracked and logged. This allows you to easily retrace the events and values that flags, identities and segments have taken over time.
You can view the Audit Log within the Flagsmith application, and filter it in order to find the information you are after.
You can also stream your Audit Logs into your own infrastructure using Audit Log Web Hooks.
Environment Banners
You can optionally provide a coloured banner for your Environments in each Environment Settings page. This helps you identify sensitive Environments before toggling flags!
Hide Sensitive Data
Enabling this feature within the Environment will return null for sensitive or unused fields in the response generated by the SDK endpoints.
/api/v1/flags
The following fields will always be Null:
id
feature.created_date
feature.description
feature.initial_value
feature.default_enabled
feature_segment
environment
identity
The response from /api/v1/flags
will change from this:
[
{
"id": 27595,
"feature": {
"id": 9422,
"name": "first_feature",
"created_date": "2023-05-14T06:11:08.178802Z",
"description": null,
"initial_value": null,
"default_enabled": false,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": 5242,
"identity": null,
"feature_segment": null,
"enabled": false
},
{
"id": 27597,
"feature": {
"id": 9423,
"name": "second_feature",
"created_date": "2023-05-14T06:29:29.542708Z",
"description": null,
"initial_value": null,
"default_enabled": false,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": 5242,
"identity": null,
"feature_segment": null,
"enabled": false
}
]
To this:
[
{
"id": null,
"feature": {
"id": 9422,
"name": "first_feature",
"created_date": null,
"description": null,
"initial_value": null,
"default_enabled": null,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": null,
"identity": null,
"feature_segment": null,
"enabled": false
},
{
"id": null,
"feature": {
"id": 9423,
"name": "second_feature",
"created_date": null,
"description": null,
"initial_value": null,
"default_enabled": null,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": null,
"identity": null,
"feature_segment": null,
"enabled": false
}
]
All fields mentioned are not part of the response generated by the Edge API.
/api/v1/identities
The following fields will always be Null:
flags[].id
flags[].feature.created_date
flags[].feature.description
flags[].feature.initial_value
flags[].feature.default_enabled
flags[].feature_segment
flags[].environment
flags[].identity
The following field(s) will be empty
traits[]
The response for /api/v1/identities
will change from this:
{
"traits": [{ "id": 1, "trait_key": "key", "trait_value": "value" }],
"flags": [
{
"id": 27595,
"feature": {
"id": 9422,
"name": "first_feature",
"created_date": "2023-05-14T06:11:08.178802Z",
"description": null,
"initial_value": null,
"default_enabled": false,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": 5242,
"identity": null,
"feature_segment": null,
"enabled": false
},
{
"id": 27597,
"feature": {
"id": 9423,
"name": "second_feature",
"created_date": "2023-05-14T06:29:29.542708Z",
"description": null,
"initial_value": null,
"default_enabled": false,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": 5242,
"identity": null,
"feature_segment": null,
"enabled": false
}
]
}
To this
{
"traits": [],
"flags": [
{
"id": null,
"feature": {
"id": 9422,
"name": "first_feature",
"created_date": null,
"description": null,
"initial_value": null,
"default_enabled": null,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": null,
"identity": null,
"feature_segment": null,
"enabled": false
},
{
"id": null,
"feature": {
"id": 9423,
"name": "second_feature",
"created_date": null,
"description": null,
"initial_value": null,
"default_enabled": false,
"type": "STANDARD"
},
"feature_state_value": null,
"environment": null,
"identity": null,
"feature_segment": null,
"enabled": false
}
]
}
Responses generated by Edge API already excludes all the above-mentioned fields apart from
traits