JavaScript security
JavaScript Security gives you fine-grained control over permissions for JavaScript write APIs. Properly configuring these settings helps protect your platform from potential exploits while allowing legitimate functionality.
Why security matters
Since JavaScript activities run in the browser, users with technical knowledge could potentially manipulate these calls to gain unfair advantages. The security settings let you precisely control which actions can be performed through JavaScript.
Permission categories
Activity tracking permissions
These settings control which gamification activities can be tracked through the JavaScript Activities API:
| Permission type | Description | Security implications |
|---|---|---|
| Points management | ||
| Set points | Directly set point balances | Could be used to artificially inflate points |
| Increment points | Add points to existing balance | Lower risk than set points, but still gameable |
| Redeem points | Allow spending points | Could deplete points if compromised |
| Refund points | Return redeemed points | Could be used to duplicate points if combined with other exploits |
| Coupon handling | ||
| Redeem coupon | Apply coupon benefits | Potential for coupon abuse |
| Refund coupon | Return a redeemed coupon | Could lead to unlimited coupon usage |
| Bounty management | ||
| Start bounty | Begin a new bounty | Could create unauthorized challenges |
| Cancel bounty | End a bounty prematurely | Could interfere with active promotions |
| Award bounty | Grant a bounty reward | Could award unearned benefits |
| Other actions | ||
| Track behaviour | Record user activities | Fundamental to gamification, but easily spoofed |
| Create gift | Generate gifts for users | Required for gifting widget |
User management permissions
You can also enable creation and modification of users through the JavaScript User APIs:
- Create users
- Update users
Important considerations
Behaviour tracking
The "Track behaviour" setting is a master control for whether any behaviours can be tracked via JavaScript. However, each individual behaviour must also have JavaScript tracking explicitly enabled in its configuration:
- Navigate to the specific behaviour
- Go to its Security settings
- Enable JavaScript tracking
This two-level permission system allows fine-grained control over which specific behaviours can be tracked through JavaScript.
Gifting functionality
The "Create gift" permission must be enabled for the Gifting Widget to function properly. If you're experiencing issues with the gifting widget, verify this permission is activated.
Troubleshooting security settings
If your JavaScript tracking isn't working as expected:
- Check the global JavaScript security settings
- Verify individual behaviour settings
- Look for console errors that might indicate permission issues
- Test with the simulator
Note: These options are disabled by default to prevent cheating. Since activities can be tracked via the browser, technically skilled users could potentially create artificial activities that weren't actually performed.
Security best practices
When configuring JavaScript security:
- Only enable permissions required by your implementation
- Regularly audit which permissions are enabled
- Consider using server-side tracking for high-value activities
- Implement additional validation where possible