All
API
Docs
Demos
Blogs
Webinars

Security

Web application developers work hard to maintain secure environments and minimize the risk of attacks and exposures to serious vulnerabilities. For more information about web security, see the Open Web Application Security Project's (OWASP) Ten Most Critical Web Application Security Risks.

KeyLines and security

KeyLines is a low-risk, highly secure JavaScript library. It is unlikely to be affected by common security vulnerabilities because:

  • There are no third-party dependencies in the core library. KeyLines code was written by Cambridge Intelligence.*
  • KeyLines does not natively send data to remote servers or depend on server-side components.
  • Internal data structures are not available through the global scope or public interface.
  • KeyLines does not track user data or persist data in any form of local storage.
  • KeyLines source code is obfuscated and minified before distribution to prevent hijacking.
  • KeyLines runs wholly within the browser using standard JavaScript. Browsers are frequently patched to reduce the likelihood of security breaches.

In addition, new APIs and features are carefully examined to make sure they do not introduce security liabilities. KeyLines is a closed-source product - every line of code is reviewed by multiple expert developers and tested thoroughly by our experienced QA team.

* Using some optional features such as Leaflet Integration or PDF export requires third-party plugins. See Third Party Libraries.

Automated tooling

KeyLines is developed and built with an automated toolchain which is configured according to modern best practices to help identify security issues and ensure consistency and quality across the codebase. The toolchain contains a linter and a suite of security scanners, including:

  • Secret scanner - scans the source code for accidental exposure of sensitive security information
  • Container scanner - scans the webserver container for vulnerabilities
  • Dependency scanner - scans our internal and build-time dependencies for known issues and vulnerabilities
  • Static application security testing (SAST) - scans the source code for vulnerabilities, encryption issues and other potentially exploitable holes

If we identify a vulnerability, we review it internally and deal with it before release.

There is no accepted standard scanner for malicious JavaScript code. Our JavaScript files are built using secure processes and hosted on secure web servers. We will never add malicious behaviours to our source code, and we are confident that third parties cannot hijack or compromise our downloads.

Policy review

We review this policy every six months, in line with the latest recommendations for web application security.