Open source platform for stress free deployments, measured impact, and smarter decisions.

GrowthBook Users

Hi! With ID lists - is the entire list sent to the SDK and then matched on device? Are there any security concerns regarding this? I guess this is an exception to `The actual values of the targeting attributes (e.g., the user IDs, emails, etc.) are never sent to GrowthBook` as mentioned higher up on this pager, right? <https://docs.growthbook.io/features/targeting#id-lists>

Think of ID lists as feature rules, as far as data privacy is concerned. If you're targeting on non-anonymous IDs in an insecure environment (e.g. front-end), then curious users could inspect that payload and see the full list or targeting rules.

If you to hide this data, consider a few options:
• payload encryption (not totally secure, just fancy obfuscation)
• "secure string" attributes for targeting (e.g. instead of matching on <mailto:user@domain.com|user@domain.com>, you'd match on the md5() hash of the ID, and that is what the end user would see when inspecting the payload)
• remote evaluation (front-end evaluates on a private backend so users cannot see the rules and ID lists)
• testing on backend only
• doing any sort of sensitive targeting on the backend and injecting the result onto the frontend as a simple attribute (`isTargetedUser: true`)