Request a trial

Log in

Introduction

Web application developers work hard to maintain secure environments and minimize the risk of attacks and exposures to serious vulnerabilities. For more information about web security, see the Open Web Application Security Project's (OWASP) Ten Most Critical Web Application Security Risks.

Security

KeyLines is a low-risk, highly secure JavaScript library. It is unlikely to be affected by common security vulnerabilities because:

  • There are no third-party dependencies in the core library. KeyLines code was written by Cambridge Intelligence.*
  • KeyLines does not natively send data to remote servers or depend on server-side components.
  • Internal data structures are not available through the global scope or public interface.
  • KeyLines does not track user data or persist data in any form of local storage.
  • KeyLines source code is obfuscated and minified before distribution to prevent hijacking.
  • KeyLines runs wholly within the browser using standard JavaScript. Browsers are frequently patched to reduce the likelihood of security breaches.

In addition, new APIs and features are carefully examined to make sure they do not introduce security liabilities. KeyLines is a closed-source product - every line of code is reviewed by multiple expert developers and tested thoroughly by our experienced QA team.

* Using some optional features such as Leaflet Integration or PDF export requires third-party plugins. See Dependencies and About this Website for details.

Automated tooling

KeyLines is developed and built with an automated toolchain which is configured according to modern best practices to help identify security issues and ensure consistency and quality across the codebase. The toolchain contains a linter and a suite of security scanners, including:

  • Secret scanner - scans the source code for accidental exposure of sensitive security information
  • Container scanner - scans the webserver container for vulnerabilities
  • Dependency scanner - scans our internal and build-time dependencies for known issues and vulnerabilities
  • Static application security testing (SAST) - scans the source code for vulnerabilities, encryption issues and other potentially exploitable holes

If we identify a vulnerability, we review it internally and deal with it before release.

There is no accepted standard scanner for malicious JavaScript code. Our JavaScript files are built using secure processes and hosted on secure web servers. We will never add malicious behaviours to our source code, and we are confident that third parties cannot hijack or compromise our downloads.

Dependencies

KeyLines natively has no external dependencies and is a good JavaScript citizen: it does not extend any of the basic JavaScript types and encapsulates everything within its own namespace to avoid global name conflicts.

The only exception to this are the following optional functionalities:

Compliance

Cambridge Intelligence has implemented an information security management system that is certified to ISO 27001:2022 for the operations of software development, sale and associated support, all information assets processed and managed and all systems and services where information is processed by Cambridge Intelligence.

This includes:

  • Software Development Life Cycle
  • Risk management
  • Information classification
  • Business continuity and backups
  • Software development and code security
  • Vulnerability management
  • Logging and monitoring
  • External penetration testing
  • Physical security
  • Training and awareness

For further information, please contact our security team.

Policy review

We review this policy every six months, in line with the latest recommendations for web application security.