Watch Taking a Sledgehammer to Bottlenecks 🎥 as Ruth & Steph show how AI actually fixes margins.

Frontend Security

Browser security controls

The GoSmarter web application is a single-page application (SPA) and we apply several layers of browser-level security to protect you whilst you use it.

Content Security Policy (CSP)

We enforce a Content Security Policy that restricts what the browser can load and execute:

DirectivePolicyWhat it means
default-srchttps:Only HTTPS resources allowed by default
script-src'self' + https://script.supademo.com + https://widget.frill.coOnly our own scripts plus explicitly allowlisted Supademo and Frill scripts can execute
style-srchttps: 'unsafe-inline'Styles from HTTPS sources (inline styles required by the UI framework)
worker-src'self'Service workers restricted to our own origin
object-src'none'No Flash, Java, or other plugin content

The two allowlisted script sources are product experience tools:

  • Supademo (script.supademo.com) for interactive in-app guides
  • Frill (widget.frill.co) for product feedback and communication widgets

No advertising scripts are loaded from the frontend shell.

Token storage

Authentication tokens are stored in sessionStorage, not localStorage:

  • Tokens are cleared when the browser tab is closed
  • Tokens are not accessible across tabs (unlike localStorage)
  • No authentication cookies are used
  • PII logging is explicitly disabled in the authentication library

Source maps

Production builds do not include source maps. This prevents exposing application structure and logic through browser developer tools.

API route protection

The Static Web App configuration requires an authenticated role for all /api/* routes. Unauthenticated requests to API endpoints receive a 401 response and are redirected to the login page.

Supply chain security

  • Dependency scanning: Dependabot monitors all frontend dependencies for known vulnerabilities
  • Dependency review: Pull requests are automatically checked for high/critical CVEs and copyleft license violations
  • No hardcoded secrets: No API keys, tokens, or credentials in the frontend source code

Key points for your security team

  • CSP enforced: Strict Content Security Policy limiting script execution to self + 2 named vendors
  • Named script allowlist: Supademo (script.supademo.com) and Frill (widget.frill.co) only
  • sessionStorage tokens: Cleared on tab close, not persisted across sessions
  • No PII logging: Disabled in the authentication library configuration
  • No source maps in production: Application internals not exposed
  • Authenticated API routes: Enforced at the Static Web App platform level
  • Automated dependency scanning: Dependabot + dependency review on every PR
  • CORS policy: API cross-origin access is restricted to configured origins
  • HSTS: HSTS headers are set to enforce HTTPS connections to the frontend

Request evidence

Email us, contact us online, or book a compliance call.