My search index contains sensitive data. How can I prevent it from being exposed?


#1

I’m indexing content from multiple users and I want to make sure a user can only see their own content. How can I prevent sensitive data from being exposed with Swiftype?

Swiftype can handle user-specific content using a custom field and search filters. For example, say each of your users had a unique ID called user_id. You can include user_id as a field for every document. You would then be able to filter each search by the user’s ID.

For Pro or Premium Customers

Swiftype’s public search API allows an end-user to submit read-only, client-side query requests.

This is great because it allows Swiftype to provide JSONP access to the Search and Autocomplete endpoints without you having to send requests through your host server. However, using JSONP with the engine key is only tenable if all the data in your search engine can be searched publicly.

If you have user data you need to keep private from other users, keep your engine key secret, and send search requests to your server first, then use your private API key to access our API directly (you can use one of our API clients to make this easier).

To search only data accessible to a certain user, use filters and make sure that the user cannot change the filter – it should be set only on your server.

Routing traffic through your server will be slightly slower, but it will allow you to maintain security while still providing high-quality search results.

For Premium Customers

Swiftype offers the ability to restrict request access to your Site Search engine(s) to only those originating from a range or block of whitelisted IP addresses (provided by the customer). This allows for enhanced security shared key API access is a concern.