Skip to main content

Kameleoon Application File Integrity

Introduction

The Automation API can be used to check the integrity of the Kameleoon application file that is loaded in your website. By doing so, you ensure that our application file has not been tampered with and can be safely used inside your website.

The integrity check is achieved by retrieving a hash code based on the contents of the application file and then comparing it to the hash code of the application file being integrated on your website. Both hash codes should be equal in all cases.

This document will help you to implement this health check and thus secure the application file from tampering.

note

Please remember that our API only generates a hashCode. It is then up to you to decide whether and how you want to use the generated hash for securing the Kameleoon application file.

Sample implementation of the integrity check

The hash code of the original Kameleoon application file can be obtained by a call to our Automation API. So you will first need to get access to the Automation API (via OAuth 2.0) and read the corresponding documentation.

As you can see from the example below, once you make a request to the API endpoint to get the hash code, you can compare it to the hash code computed on your side to make sure that the file wasn't tampered with in any way.

const axios = require("axios");
const crypto = require("crypto");

const API_SSX_URL = "https://api.kameleoon.com";
const SITE_CODE = "SITE_CODE";
const HASH_TYPE = "SHA256";
const CLIENT_ID = "CLIENT_ID";
const CLIENT_SECRET = "CLIENT_SECRET";

async function obtainAuthToken() {
const response = await axios({
url: `${API_SSX_URL}/oauth/token`,
method: "POST",
headers: {
"Content-type": "application/x-www-form-urlencoded"
},
data: `grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}`
});
return response.data.access_token;
}

async function obtainHash() {
const token = await obtainAuthToken();
const hashCodeResponse = await axios({
url: `${API_SSX_URL}/sites/${SITE_CODE}/hash`,
method: "PATCH",
headers: {
Authorization: "Bearer " + token,
"Content-type": "application/json"
},
data: `{"hashType": "${HASH_TYPE}"}`
});

return hashCodeResponse.data.hashCode; // { hashCode: 'hashCode', hashType: "SHA256" }
}

// function to compare the hash code
async function checkHash() {
const scriptResponse = await axios({
url: `https://${SITE_CODE}.kameleoon.io/kameleoon.js?t=${new Date().getTime()}`,
method: "GET"
});
const hashCodeFromAPI = await obtainHash();
const hashCode = crypto.createHash(HASH_TYPE).update(scriptResponse.data).digest("hex");
return hashCodeFromAPI === hashCode;
}



checkHash();
<?php

$API_SSX_URL = 'https://api.kameleoon.com';
$SITE_CODE = 'SITE_CODE';
$HASH_TYPE = 'SHA256';
$CLIENT_ID = 'CLIENT_ID';
$CLIENT_SECRET = 'CLIENT_SECRET';

$tokenRequest = curl_init($API_SSX_URL . "/oauth/token");
curl_setopt($tokenRequest, CURLOPT_POST, 1);
curl_setopt($tokenRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($tokenRequest, CURLOPT_POSTFIELDS, "grant_type=client_credentials&client_id=" . $CLIENT_ID . "&client_secret=" . $CLIENT_SECRET);
$tokenOutput = curl_exec($tokenRequest);
curl_close($tokenRequest);
$token = json_decode($tokenOutput)->access_token;

$hashRequest = curl_init($API_SSX_URL . "/sites/" . $SITE_CODE . "/hash");
curl_setopt($hashRequest, CURLOPT_CUSTOMREQUEST, 'PATCH');
curl_setopt($hashRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($hashRequest, CURLOPT_POSTFIELDS, json_encode(array(
'hashType' => $HASH_TYPE
)));
curl_setopt($hashRequest, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'Authorization: Bearer ' . $token
));
$hashOutput = curl_exec($hashRequest);
curl_close($hashRequest);
$hash = json_decode($hashRequest)->hashCode;

// Some method to compare the hash code
checkHash($hash);
note

We do not conduct constant verification of the Kameleoon application files hosted on our CDN for every customer. We let the customer decide how the verification of the application file and the associated actions (in case of mismatching hash codes) should be implemented based on his requirements. Typically, a safe behavior would be to instantly remove the application file link from your website.

note

The domain for your Kameleoon scripts may vary from one project to another. Your projects may be hosted on either kameleoon.eu or kameleoon.io depending on their creation date. Make sure you use the domain displayed in your project in the Kameleoon App. :::