In this article, we will delve into the various security options available for your changelog. Your changelog is a valuable source of information, and ensuring its security and privacy is essential. From preventing search engine indexing to creating private access for specific groups, we'll guide you through the settings that can help you safeguard your changelog effectively.
Whether you want to limit access to a select audience, employ secure authentication methods, or restrict access to specific IP addresses, this comprehensive overview will empower you to make informed choices to protect your changelog's integrity and confidentiality.
How to get started with setting up security & privacy options
You can get started by going to your Settings ≥ Security & Privacy.
Here, you have many options to select and configure.
Disallow Search Engine Indexing & Allow indexing of Main Page
By default, anyone can see your changelog when they search for it on any search engine. However, if you enable this option, you will be able to hide your website from search engine results.
Additionally, you can enable or disable indexing of your main page for SEO purposes.
Private Feed Options
By turning on this option, you can make your changelog URL private and only accessible to a selected group of users.
You can choose to keep your changelog private by using URL Tokens, cookies or restrict access by email domain.
Private Feed via URL Tokens
Please note that JWT authentication is needed for setting up a private changelog with URL tokens.
By following these steps, you can create a secure and exclusive environment for your changelog, ensuring that only authorized individuals can access its content.
You'll need to set up a widget on your webpage that acts as the access point for your selected user group. This widget will serve as the gateway to your private changelog.
Usually this is done by implementing a widget after a login screen.
Go to your Security & Privacy settings and toggle on Private changelog
Continue with setting up your JWT , as JWT is a URL token,which is essential for setting up a private changelog with URL tokens.
You can find the JWT setup guide below in this article.
As users interact with the widget, it will generate URL tokens for them, granting access to your private changelog. These tokens are time-sensitive and will expire within an hour.
Private Feed via cookies (shareable private links)
Shareable stands for your users having access to your changelog without a time limit, as the cookies will not expire (as opposed to URL tokens)
This option allows the use of cookies instead of URL tokens to access your changelog page. It works the same way as enabling private changelog's via the URL tokens above.
You'll need to set up a widget on your webpage that acts as the access point for your selected user group. This widget will serve as the gateway to your private changelog.
Usually this is done by implementing a widget after a login screen.Go to your Security & Privacy settings and toggle on Private Feed
Then you need to toggle on Shareable Private Links
As users interact with the widgets, the widgets will drop a cookie in the user's browser.
The cookie will stay on the user's browser (unless cleared) so that it becomes shared forever, granting access to your private changelog.
Private Feed via Domain Access
With domain access, you will be able to add a domain-based rule to your changelog that will limit access to your feed page only to the allowed domain address.
By doing this, people whose email domain addresses match the extension you entered into the system can view your changelog.
Forcing JWT and JWT Setup
The JWT method is one of the most secure and convenient ways to authenticate users with external apps. AnnounceKit supports and accepts JSON Web Tokens for authenticating users with the widget and public changelog.
1. Get your secret key
Firstly, you need to get a secret key that will encrypt the payload user data. Remember, this key is secret, and you should only use it from the server side of your application.
2. Generate tokens on your server
Now you can generate an encrypted token user_token
, which consists of user properties id
, name
, email
. Make sure the HS256
encryption algorithm is used and included in JWT Header
.
You can use any library suitable for your codebase.
3. Authenticate the user
Now, as you have the encrypted user_token
you can pass it within your widget configuration or as user_token
query parameter inside your standalone newsfeed URL.
https://announcekit.app/acmeco/updates?user_token=eyJhbGciOiJIU6IkpXVCJ9.ey...
IP Access Control
You can make your page accessible only from a single IP address. This way, your changelog can be viewed only from your company's or office's IP address and by whom to use it.
This privacy option is mostly used for internal or in-company use cases with sensitive information. This prevents the misuse of the information provided in your announcements by making your changelog inaccessible to users connecting from IP addresses other than the one associated with your business.
Specify the IPv4/IPv6 address range that is allowed to access the changelog.
If you enable IP Access Control, you cannot enable a private changelog URL at the same time.