Zero Trust Mode
When you identify browsers or devices with Fingerprint, you get back the visitorId
value.
You can use this value in your business logic to find suspicious activity or for marketing analytics.
By default, this value is sent back to your browser or device where you can read it and do something with it, e.g. send it to your server for storage and analysis.
This works fine in most cases, but sometimes you want to not receive the visitorId
value from Fingerprint back to your devices. In security-critical applications, you want to hide that value and only read it on the server with your secret API key.
Instead, you get back a random requestId
value that you can use later to read the actual visitorId server-side.
This mode of running the identification and not sending the visitorId
back to the client device is called Zero Trust Mode.
The Fingerprint API supports Zero Trust Mode to make it very difficult to send malicious identification requests that impersonate other visitors.
Zero Trust Mode is implemented internally by identification result hiding and strict origin-checking features.
Identification Result Hiding
Zero Trust Mode requires this feature to avoid sending the identification results to end-user browsers.
When enabled, these fields will not be sent to the end-user browser: visitorId
, visitorFound
, and confidenceScore
. The requestId field will still be returned, because you need it to get the full results later using our Server API.
Importantly, when Zero Trust Mode is enabled, you will still get full results through the webhook.
In addition to the requestId
, the JavaScript agent response will include a new field called zeroTrust
that will list all the fields that were hidden:
{
"requestId": "...",
"zeroTrust": {
"hiddenFields": ["visitorId", "visitorFound", "confidence"],
"comment": "The result was hidden because of the subscription configuration."
}
}
Likewise, the iOS and Android client agents will not receive the visitorId
directly, only a requestId
and other metadata.
Strict Origin Checking
In all modern browsers, the Origin header is automatically included in all cross-origin requests.
Websites cannot spoof this header. However, some signals collected by the JavaScript agent can be spoofed.
When Zero Trust Mode is enabled, the strict origin-checking feature detects inconsistencies between the data collected by the JavaScript agent and the request headers that cannot be spoofed by the browser. These headers are the Origin and the Referer. Identification requests with inconsistencies are rejected by the server. This ensures that the url
and clientReferrer
values can’t be spoofed. That is important because url
and clientReferrer
are exposed in our Server API and webhook responses.
You can use Zero Trust Mode with the request filtering feature for additional security.
This mode is only available for the Enterprise plan. It can be enabled on a per-workspace level.
If you would like to try this mode or learn more, please contact our support team.
Updated about 1 month ago