# Frontend Security

> GoSmarter's browser security controls - Content Security Policy, secure token storage, and supply chain protections.

**URL:** https://www.gosmarter.ai/docs/content/frontend-security/

**Date:** 0001-01-01

---


## Browser security controls

The GoSmarter web application is a single-page application (SPA) and we apply several layers of browser-level security to protect you whilst you use it.

### Content Security Policy (CSP)

We enforce a Content Security Policy that restricts what the browser can load and execute:

| Directive | Policy | What it means |
|-----------|--------|---------------|
| `default-src` | `https:` | Only HTTPS resources allowed by default |
| `script-src` | `'self'` + `https://script.supademo.com` + `https://widget.frill.co` | Only our own scripts plus explicitly allowlisted Supademo and Frill scripts can execute |
| `style-src` | `https: 'unsafe-inline'` | Styles from HTTPS sources (inline styles required by the UI framework) |
| `worker-src` | `'self'` | Service workers restricted to our own origin |
| `object-src` | `'none'` | No Flash, Java, or other plugin content |

The two allowlisted script sources are product experience tools:

- **Supademo** (`script.supademo.com`) for interactive in-app guides
- **Frill** (`widget.frill.co`) for product feedback and communication widgets

No advertising scripts are loaded from the frontend shell.

### Token storage

Authentication tokens are stored in **sessionStorage**, not localStorage:

- Tokens are cleared when the browser tab is closed
- Tokens are not accessible across tabs (unlike localStorage)
- No authentication cookies are used
- PII logging is explicitly disabled in the authentication library

### Source maps

Production builds do **not** include source maps. This prevents exposing application structure and logic through browser developer tools.

### API route protection

The Static Web App configuration requires an `authenticated` role for all `/api/*` routes. Unauthenticated requests to API endpoints receive a 401 response and are redirected to the login page.

### Supply chain security

- **Dependency scanning**: Dependabot monitors all frontend dependencies for known vulnerabilities
- **Dependency review**: Pull requests are automatically checked for high/critical CVEs and copyleft license violations
- **No hardcoded secrets**: No API keys, tokens, or credentials in the frontend source code

### Key points for your security team

- **CSP enforced**: Strict Content Security Policy limiting script execution to self + 2 named vendors
- **Named script allowlist**: Supademo (`script.supademo.com`) and Frill (`widget.frill.co`) only
- **sessionStorage tokens**: Cleared on tab close, not persisted across sessions
- **No PII logging**: Disabled in the authentication library configuration
- **No source maps in production**: Application internals not exposed
- **Authenticated API routes**: Enforced at the Static Web App platform level
- **Automated dependency scanning**: Dependabot + dependency review on every PR
- **CORS policy**: API cross-origin access is restricted to configured origins
- **HSTS**: HSTS headers are set to enforce HTTPS connections to the frontend

### Request evidence

[Email us](mailto:talktous@gosmarter.ai), [contact us online](https://gosmarter.ai/contact), or [book a compliance call](https://calendly.com/gosmarter-demo).