App
Docs/Embed/Embed Script Security
Embed

Embed Script Security

Security model for the Inpera embed script.

3 min read

Embed Script Security

The Inpera embed script is designed with privacy and security as top priorities.

Privacy Guarantees

What We DON'T Collect

Data Type Collected?
Input values (passwords, forms) ❌ Never
Cookies ❌ Never
localStorage/sessionStorage ❌ Never
Authentication tokens ❌ Never
Personal user data ❌ Never

What We DO Collect

Data Type How
Element structure Tag, ID, classes, attributes
Text content Trimmed to 100 characters
Styles Key properties only (font, color, size)
Input metadata Type and value length only
Assets URLs of images, scripts, stylesheets
Events Click/hover positions, timestamps

Technical Safeguards

No Sensitive Data Capture

// Input events capture type and length, never value
{
  "elementType": "input",
  "inputType": "password",
  "valueLength": 12,  // ✅ Safe
  // "value": "..." - NEVER captured
}

No Storage Access

The script never reads or writes to:

  • document.cookie
  • localStorage
  • sessionStorage
  • indexedDB

Fail-Safe Operation

The script is wrapped in try-catch and will never:

  • Break your website functionality
  • Show error messages to users
  • Block page rendering
// Production build - all operations are safe
(function() {
  try {
    // All functionality here
  } catch (e) {
    // Silent failure - site continues normally
  }
})();

IIFE Isolation

All code runs in an Immediately Invoked Function Expression:

  • No global variable pollution
  • No conflicts with your code
  • Clean namespace isolation

Network Security

HTTPS Only

All data is transmitted over HTTPS to:

https://api.inpera.app/v1/collect

Authentication

Requests include project key header:

x-project-key: pk_your_project_key

Invalid project keys are rejected.

Batched Transmission

  • Data is batched and sent every 2 seconds
  • Requests use exponential backoff on failure
  • Maximum 5 retry attempts
  • Silent degradation if API unavailable

Content Security Policy

If you use CSP, add these directives:

script-src cdn.inpera.app;
connect-src api.inpera.app;

Best Practices

Protect Your Project Key

Project keys are URL-safe but should be treated with care:

  • ✅ Safe to include in frontend code (required for embed)
  • ✅ Scoped to specific project
  • ❌ Don't share keys publicly
  • ❌ Don't use in different environments

Use Environment-Specific Keys

Create separate projects for:

  • Development
  • Staging
  • Production

Each has its own project key.

Questions?

For security questions or to report vulnerabilities: [email protected]