Skip to main content

Security

User privacy and security are core to LiveCodes. As a client-side app, your code never leaves your device unless you explicitly choose to share, export, or deploy it.

Client-Side Architecture

LiveCodes runs entirely in your browser. There is no server-side code execution — all compilation, code transformation, and result rendering happens locally. No account is required, and no personal information is collected for anonymous use.

Your projects, assets, snippets, and settings are stored in your browser's local storage (IndexedDB and localStorage) and never sent to our servers unless you use a feature that requires it (e.g., short URL sharing, sync, or deploy).

Sandboxed Execution

User code runs in isolation, protected by sandboxed iframes on a separate origin from the main app.

Language compilers and transpilers (TypeScript, SCSS, Babel, etc.) and the compiled result page (the output of your code) run in separate sandboxed iframes on an independent origin.

This allows code execution but prevents untrusted code from accessing the main app's cookies, localStorage, or DOM. All communication with the app uses postMessage with strict origin verification.

Embedded Playgrounds

When LiveCodes is embedded on third-party websites, the playground runs in its own sandboxed iframe and cannot access:

  • The parent page's DOM or JavaScript context
  • Cookies from the embedding page's origin
  • localStorage or sessionStorage of the embedding page
  • Any other sensitive data from the host site

The embedding page communicates with the playground only through the SDK, which uses postMessage with origin validation on both sides.

Data Storage

Local Storage

All user data — projects, assets, snippets, templates, and settings — is stored in the browser's IndexedDB and localStorage. This data is tied to the browser profile and device. Data saved anonymously and data saved under a logged-in account are stored separately to prevent cross-user leakage on shared devices.

Data in Transit

When data does leave your device, it is always encrypted in transit via HTTPS:

  • Share service: Project code sent to generate short URLs
  • GitHub Sync: Projects synced to your private GitHub repo
  • Deployment: Result pages pushed to your GitHub Pages repo
  • GitHub API: All authenticated requests use HTTPS and token-based auth

Authentication

Login with GitHub is handled through Firebase Authentication. Permissions are granted at login time and can be revoked at any time through your GitHub authorized applications. The app requests only the scopes it needs:

  • gist scope — for exporting to GitHub Gists
  • repo scope (public) — for deployment and asset hosting
  • repo scope (private) — for importing from private repos and data sync

Authentication may set cookies on your device. By logging in, you consent to this. Logging out clears session data from the app while preserving your stored projects in local storage.

Third-Party Dependencies

LiveCodes loads language compilers, runtimes, and libraries from third-party CDNs (jsDelivr, esm.sh, unpkg, etc.) when needed by your selected languages. These dependencies run in the sandboxed compiler iframe, not in the main app context. Module imports in your code are resolved through the same sandbox.

External resources added via the External Resources feature run in the result page sandbox.

Reporting Vulnerabilities

If you discover a security vulnerability, please do not report it publicly. Instead:

See our Security Policy for responsible disclosure guidelines.

For non-security bugs, please file an issue on the GitHub repo.

Self-Hosting

When self-hosting, you control the deployment and can configure additional security measures:

  • Docker setup with automatic HTTPS via Caddy
  • Separate origin sandbox for code execution
  • Self-hosted share service, CORS proxy, and broadcast server
  • Custom headers and security policies