Skip to main content

Kameleoon Application File Integrity


The Automation API can be used to check the integrity of the Kameleoon application file that is loaded in your website. By doing so, you ensure that our application file has not been tampered with and can be safely used inside your website.

The integrity check is achieved by retrieving a hash code based on the contents of the application file and then comparing it to the hash code of the application file being integrated on your website. Both hash codes should be equal in all cases.

This document will help you to implement this health check and thus secure the application file from tampering.


Please remember that our API only generates a hashCode. It is then up to you to decide whether and how you want to use the generated hash for securing the Kameleoon application file.

Sample implementation of the integrity check

The hash code of the original Kameleoon application file can be obtained by a call to our Automation API. So you will first need to get access to the Automation API (via OAuth 2.0) and read the corresponding documentation.

As you can see from the example below, once you make a request to the API endpoint to get the hash code, you can compare it to the hash code computed on your side to make sure that the file wasn't tampered with in any way.

const API_SSX_URL = '';
const HASH_TYPE = 'SHA256';

let token = null;

const doRequest = (url, method, data, callback) => {
const xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function () {
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
}, url, true);
if (token) {
xmlHttp.setRequestHeader('Authorization', 'Bearer ' + token);
xmlHttp.setRequestHeader('Content-type', 'application/json');
} else {
xmlHttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');

const obtainHash = (callback) => {
`grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}`, (response) => {
token = response.access_token;

doRequest(`${API_SSX_URL}/sites/${SITE_CODE}/hash`, 'PATCH', `{"hashType": "${HASH_TYPE}"}`, (response) => {

obtainHash((hashCode) => {
// Some method to compare the hash code

$API_SSX_URL = '';
$HASH_TYPE = 'SHA256';

$tokenRequest = curl_init($API_SSX_URL . "/oauth/token");
curl_setopt($tokenRequest, CURLOPT_POST, 1);
curl_setopt($tokenRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($tokenRequest, CURLOPT_POSTFIELDS, "grant_type=client_credentials&client_id=" . $CLIENT_ID . "&client_secret=" . $CLIENT_SECRET);
$tokenOutput = curl_exec($tokenRequest);
$token = json_decode($tokenOutput)->access_token;

$hashRequest = curl_init($API_SSX_URL . "/sites/" . $SITE_CODE . "/hash");
curl_setopt($hashRequest, CURLOPT_CUSTOMREQUEST, 'PATCH');
curl_setopt($hashRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($hashRequest, CURLOPT_POSTFIELDS, json_encode(array(
'hashType' => $HASH_TYPE
curl_setopt($hashRequest, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'Authorization: Bearer ' . $token
$hashOutput = curl_exec($hashRequest);
$hash = json_decode($hashRequest)->hashCode;

// Some method to compare the hash code

We do not conduct constant verification of the Kameleoon application files hosted on our CDN for every customer. We let the customer decide how the verification of the application file and the associated actions (in case of mismatching hash codes) should be implemented based on his requirements. Typically, a safe behavior would be to instantly remove the application file link from your website.