Frontend IntegrationSDKSecurity Best Practices

Security Best Practices

Use these practices when integrating the widget in production environments.

Use these practices when integrating the widget in production environments.

Protect secrets and credentials

  • Never commit real API keys to source control
  • Use environment variables or secure config management
  • Use placeholders in documentation and examples (YOUR_SOPHI_API_KEY)

Do not copy production keys into GTM tags, public snippets, or screenshots.

Keep responsibility boundaries clear

  • GTM (or tag manager): script loading after consent
  • App code: widget initialization, config values, event handlers, cart/checkout actions

This separation reduces accidental credential exposure and keeps business logic testable.

Avoid documenting internal implementation details

Public docs should avoid:

  • Session/token payload internals
  • Internal service URLs and non-production hosts
  • Private message contracts not intended as public API
  • Internal cookie/session storage mechanics
  • Load SDK only after required consent is granted
  • Initialize widget only when container is mounted
  • Destroy widget on teardown to remove listeners and iframe

Safe error handling

  • Attach onError and error listeners
  • Log generic errors for observability
  • Avoid printing sensitive config values in logs

On this page