Security Best Practices
Use these practices when integrating the widget in production environments.
Protect secrets and credentials
- Never commit real API keys to source control
- Use environment variables or secure config management
- Use placeholders in documentation and examples (
YOUR_SOPHI_API_KEY)
Warning
Do not copy production keys into GTM tags, public snippets, or screenshots.
Keep responsibility boundaries clear
- GTM (or tag manager): script loading after consent
- App code: widget initialization, config values, event handlers, cart/checkout actions
This separation reduces accidental credential exposure and keeps business logic testable.
Avoid documenting internal implementation details
Public docs should avoid:
- Session/token payload internals
- Internal service URLs and non-production hosts
- Private message contracts not intended as public API
- Internal cookie/session storage mechanics
Handle consent and lifecycle correctly
- Load SDK only after required consent is granted
- Initialize widget only when container is mounted
- Destroy widget on teardown to remove listeners and iframe
Safe error handling
- Attach
onErroranderrorlisteners - Log generic errors for observability
- Avoid printing sensitive config values in logs