Skip to main content

Completed Client-Side Security and Privacy Review

Scenario

Atlas wants to add analytics, session replay, and attribution tracking to /account/billing and /reports/revenue. The billing route includes payment method details, invoice history, account owner names, and support links. The reports route includes customer segmentation filters and export events.

This completed review demonstrates the expected depth for review-packets/client-side-security-privacy-review-packet.

Review summary

Decision: approve analytics on both routes with typed first-party event collection. Block session replay on billing for launch. Allow replay on reports only after sensitive table cells and filter values are blocked. Defer attribution API integration until browser support and product requirements are revalidated.

Launch status:

AreaStatusReason
Product analyticsApproved with conditionstyped events and sensitive-field rejection are required
Session replay on billingBlockedsensitive form and payment-adjacent data create unacceptable capture risk
Session replay on reportsConditionalcan launch only with blocked selectors and masking fixture evidence
AttributionDeferredcurrent browser/API support is unstable enough to require a separate pilot
Third-party script loadingConditionaleach script needs owner, consent category, load strategy, and kill switch

Browser trust boundary

Trust decisions:

  • user input, URL parameters, storage values, and third-party script behavior are untrusted
  • frontend role checks are UX hints only
  • protected operations remain server-authorized
  • telemetry SDK rejects unknown event names and sensitive fields before network emission
  • replay cannot run on pages that contain payment method editing, security settings, or support messages until explicit blocking fixtures pass

Sensitive data flow map

DataAppears in UIAllowed in URLAllowed in analyticsAllowed in replayAllowed in logs
account idyeshashed only if neededhashed or internal surrogateno visible raw valuetrace id only
emailyesnonomasked/blockedno
payment last fouryesnonoblockedno
invoice idyesnohashed onlymaskedtrace id correlation
report filter namesyesnon-sensitive values onlycategory names onlymasked if customer-specificno raw values
export formatyesyesyesyesyes
free-form support textyesnonoblockedno

Event schema decision

Approved events:

EventPurposeAllowed properties
billing.invoice_downloadedproduct analyticsinvoice age bucket, tenant class, file type
billing.payment_update_startedfunnel analyticstenant class, route version
billing.payment_update_completedfunnel analyticssuccess/failure class, route version
reports.filter_appliedproduct analyticsfilter categories, count, route version
reports.export_requestedproduct analyticsformat, row count bucket, tenant class
reports.export_completedreliability/product analyticsduration bucket, success/failure class

Rejected properties:

  • raw email
  • full URL
  • account name
  • customer name
  • payment data
  • free-form text
  • unbounded metadata objects

Third-party script decision

ScriptRouteDecisionConditions
analytics vendorbilling, reportsallow through first-party SDK onlyno direct browser collection on sensitive routes
session replaybillingblockrevisit with security/privacy sign-off
session replayreportsconditionalblocked selectors, masking tests, kill switch
attribution pixelacquisition onlynot allowed on billing/reportsseparate pilot outside account app
support widgetbillingallow on support panel onlyno access to payment form DOM, lazy load, owner and kill switch

CSP and browser controls

Required:

  • CSP in report-only during beta, enforcement before GA
  • script-src limited to owned app, approved CDN, and nonce/hash strategy where applicable
  • frame-ancestors denies unapproved embedding
  • opener policy prevents unsafe opener access
  • referrer policy avoids leaking sensitive URLs
  • cookies use appropriate Secure, HttpOnly, and SameSite attributes
  • source maps are not publicly accessible for sensitive production bundles unless policy approves

Launch blockers

  • Unknown event properties are currently accepted by the telemetry SDK.
  • Session replay masking fixture does not cover invoice table, customer filter chips, and support text.
  • Support widget has no documented kill switch.
  • CSP reports have no triage owner.

Conditional approval plan

ConditionOwnerDue
implement event allowlist and sensitive-field rejectiondata platformbefore beta
add replay blocking fixtures for reports routefrontend platformbefore beta
add support widget kill switchaccount teambefore beta
assign CSP report triage ownersecurity engineeringbefore beta
review attribution pilot separatelygrowth platformafter GA

Monitoring

Track:

  • rejected analytics payloads by field type
  • session replay blocked/masked fixture pass rate
  • CSP violation count by release
  • third-party script load failures
  • third-party script transfer and main-thread cost
  • support widget activation and disable events
  • sensitive-data scanner findings in logs/events

Incident runbook

If sensitive data appears in analytics or replay:

  1. Disable affected destination or route-level SDK flag.
  2. Preserve release, configuration, and event schema history.
  3. Identify event/replay ids and affected cohorts.
  4. Notify security/privacy/legal owners.
  5. Purge downstream data where policy requires.
  6. Add regression fixture for the leaked field.
  7. Keep destination disabled until fixture and schema checks pass.

Final decision

The review approves measurement only when routed through first-party typed collection with consent-aware loading, sensitive-field rejection, and operational kill switches. The billing route is treated as deny-by-default for replay. Attribution is deferred because browser support and API stability are not strong enough to justify production coupling without a focused pilot.