Embed security considerations

Introduction

Allowing embeds does give editors freedom to integrate instructions within third party applications, for example on a public website, an intranet or a ITSM tool. Alongside, this can pose a security risks as anyone with the embed link can access the content. Read more below to understand how the embed feature does work and consider the security posture before allowing embeds.

How does the embed work?

When an instruction is embedded within a third party application, we don't want to bother the user with authentication. The user should be able to use the instruction directly as all other shown content. In fact, if we would have required authentication, the user might not even trust the situation as suddenly an authentication is requested.

So, when an editor creates an embed link, a unique link is created. The link is used to open the instruction and also to authenticate with SelfGuide to get access to this and only this instruction. .The instruction is shown as expected without controls to navigate to other content within the tenant. Precautionary measures have been taken to prevent the user from misusing the browser session to get access to other content.

Security consideration

The editor might choose to embed a non public instruction on the organization intranet. To see the instruction using the embed, the employee has to authenticate with the intranet, so in practice, the ability to access the instruction is protected by the security configuration of the intranet. From the intranet source code, the embed URL can be extracted and shared outside the intranet. Now the instruction can be accessed outside the intranet, without authentication by every person knowning the URL.

If keeping content of instructions within the company is of upmost importance and you want to minimize the risk of editors sharing content with people outside of your organization, consider keeping embed functionality turned off.