Common security questions

Should I security test the Flipbook viewer?

While it's good practice to verify the security of the tools you use, our Flipbook viewer is a hosted solution and therefore has no impact on your other websites.

As such, it does not make sense to run a full suite of security tests against our system, as our Flipbook viewer is designed to conform to the broad security needs of our customer base, rather than the specific requirements for individual customers.

Why are there no strict CSP headers in the Flipbook viewer?

We offer many ways to enrich our Flipbooks, and many of these allow scripts to be loaded from the internet, such as Google, GTM, and any other script you, as a customer, would like to embed in your flipbook. We also offer a feature called Custom Scripting, where you can write any JavaScript you want, and it'll run when your Flipbook loads.

As such, our CSP header cannot be strict, as it would prevent the above features from working.

Why we don’t use PFS (Perfect Forward Secrecy)

iPaper is a company with customers in all parts of the world, and as such we're accessed by a broad range of devices. Introducing PFS would prevent older devices from accessing Flipbooks, and with the current device palette, we're seeing accessing our system, we're not at a point where we want to introduce PFS.

Why is the HSTS header only 7 days

Our system allows customers to set up branded domains for their publications, and we provide SSL certificates as part of this service.

The configuration of branded domains and SSL is managed by the individual companies, and to give our customers some leeway in the configuration of SSL, we've opted for a shorter HSTS header, so there's room for human errors.

What is the "IPF__SUPPORT_TEST_KEY" key in local storage

To detect if a device supports Local Storage, we try to set a temporary key called IPF__SUPPORT_TEST_KEY. The key is removed immediately after support has been detected.