Skip to main content

Kameleoon Application File Integrity

Introduction

The Automation API allows you to verify the integrity of the Kameleoon application file loaded on your website. By performing this check, you can ensure that the application file has not been altered and can be safely utilized on your site.

The integrity verification process involves generating a hash code based on the contents of the application file and then comparing it to the hash code of the file being integrated into your website. In every instance, both hash codes should match.

This document will guide you in implementing this health check, ensuring the application file remains secure from tampering.

note

Please note that our API generates only a hashCode. It is up to you to decide how to use the generated hash for securing the Kameleoon application file.

Sample implementation of the integrity check

To obtain the hash code of the original Kameleoon application file, you need to call our Automation API. First, you'll have to gain access to the Automation API using OAuth 2.0 and reference the relevant documentation.

As shown in the example below, after you make a request to the API endpoint to retrieve the hash code, you can compare this with the hash code you calculate on your end to ensure that the file has not been tampered with in any way.

const axios = require("axios");
const crypto = require("crypto");

const API_SSX_URL = "https://api.kameleoon.com";
const SITE_CODE = "SITE_CODE";
const HASH_TYPE = "SHA256";
const CLIENT_ID = "CLIENT_ID";
const CLIENT_SECRET = "CLIENT_SECRET";

async function obtainAuthToken() {
	const response = await axios({
		url: `${API_SSX_URL}/oauth/token`,
		method: "POST",
		headers: {
			"Content-type": "application/x-www-form-urlencoded"
		},
		data: `grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}`
	});
	return response.data.access_token;
}

async function obtainHash() {
	const token = await obtainAuthToken();
	const hashCodeResponse = await axios({
		url: `${API_SSX_URL}/sites/${SITE_CODE}/hash`,
		method: "PATCH",
		headers: {
			Authorization: "Bearer " + token,
			"Content-type": "application/json"
		},
		data: `{"hashType": "${HASH_TYPE}"}`
	});

	return hashCodeResponse.data.hashCode; //  { hashCode: 'hashCode', hashType: "SHA256" }
}

// function to compare the hash code
async function checkHash() {
	const scriptResponse = await axios({
		url: `https://${SITE_CODE}.kameleoon.io/kameleoon.js?t=${new Date().getTime()}`,
		method: "GET"
	});
	const hashCodeFromAPI = await obtainHash();
	const hashCode = crypto.createHash(HASH_TYPE).update(scriptResponse.data).digest("hex");
	return hashCodeFromAPI === hashCode;
}



checkHash();
<?php

$API_SSX_URL = 'https://api.kameleoon.com';
$SITE_CODE = 'SITE_CODE';
$HASH_TYPE = 'SHA256';
$CLIENT_ID = 'CLIENT_ID';
$CLIENT_SECRET = 'CLIENT_SECRET';

$tokenRequest = curl_init($API_SSX_URL . "/oauth/token");
curl_setopt($tokenRequest, CURLOPT_POST, 1);
curl_setopt($tokenRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($tokenRequest, CURLOPT_POSTFIELDS, "grant_type=client_credentials&client_id=" . $CLIENT_ID . "&client_secret=" . $CLIENT_SECRET);
$tokenOutput = curl_exec($tokenRequest);
curl_close($tokenRequest);
$token = json_decode($tokenOutput)->access_token;

$hashRequest = curl_init($API_SSX_URL . "/sites/" . $SITE_CODE . "/hash");
curl_setopt($hashRequest, CURLOPT_CUSTOMREQUEST, 'PATCH');
curl_setopt($hashRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($hashRequest, CURLOPT_POSTFIELDS, json_encode(array(
  'hashType' => $HASH_TYPE
)));
curl_setopt($hashRequest, CURLOPT_HTTPHEADER, array(
  'Content-Type: application/json',
  'Authorization: Bearer ' . $token
));
$hashOutput = curl_exec($hashRequest);
curl_close($hashRequest);
$hash = json_decode($hashRequest)->hashCode;

// Some method to compare the hash code
checkHash($hash);
note

We do not continuously verify the Kameleoon application files hosted on our CDN for each customer. Instead, we allow our customers to determine how verification of the application files should be conducted, along with the actions to take in the event of mismatching hash codes, based on their specific requirements. Generally, a safe practice would be to promptly remove the application file link from your website if a mismatch is detected.

note

The domain for your Kameleoon scripts may differ between projects. Depending on when your projects were created, they may be hosted on either kameleoon.eu or kameleoon.io. Be sure to use the domain that is displayed in your project within the Kameleoon App.