My search index contains sensitive data. How can I prevent it from being exposed?


I’m indexing content from multiple users and I want to make sure a user can only see their own content. How can I prevent sensitive data from being exposed with Swiftype?

Swiftype can handle user-specific content using a custom field and search filters. For example, say each of your users had a unique ID called user_id. You can include user_id as a field for every document. You would then be able to filter each search by the user’s ID.

For Pro or Business Customers

Swiftype’s public search API allows any user to perform any query given your public engine key (which is what is used to identify your engine).

This is great because it allows Swiftype to provide JSONP access to search and autocomplete without you having to send requests through your server. However, using JSONP with the engine key is only tenable if all the data in your search engine can be searched publicly.

If you have user data you need to keep private from other users, keep your engine key secret, and send search requests to your server first, then use your private API key to access our API directly (you can use one of our API clients to make this easier).

To search only data accessible to a certain user, use filters and make sure that the user cannot change the filter – it should be set only on your server.

Routing traffic through your server will be slightly slower, but it will allow you to maintain security while still providing high-quality search results.

For Enterprise Customers

Swiftype offers the ability to restrict API access to a whitelist of IP addresses. This enhances your security if you’re concerned with shared key API access.