My search index contains sensitive data. How can I prevent it from being exposed?
I’m indexing content from multiple users and I want to make sure a user can only see their own content. How can I prevent sensitive data from being exposed with Swiftype?
Swiftype’s public search API allows any user to perform any query given your public engine key (which is what is used to identify your engine).
This is great because it allows Swiftype to provide JSONP access to search and autocomplete without you having to send requests through your server. However, using JSONP with the engine key is only tenable if all the data in your search engine can be searched publically.
If you have user data you need to keep private from other users, keep your engine key secret, and send search requests to your server first, then use your private API key to access our API directly (you can use one of our API clients to make this easier).
To search only data accessible to a certain user, use filters and make sure that the user cannot change the filter -- it should be set only on your server.
Routing traffic through your server will be slightly slower, but it will allow you to maintain security while still providing high-quality search results.