Security
User privacy and security are core to LiveCodes. As a client-side app, your code never leaves your device unless you explicitly choose to share, export, or deploy it.
Client-Side Architecture
LiveCodes runs entirely in your browser. There is no server-side code execution — all compilation, code transformation, and result rendering happens locally. No account is required, and no personal information is collected for anonymous use.
Your projects, assets, snippets, and settings are stored in your browser's local storage (IndexedDB and localStorage) and never sent to our servers unless you use a feature that requires it (e.g., short URL sharing, sync, or deploy).
Sandboxed Execution
User code runs in isolation, protected by sandboxed iframes on a separate origin from the main app.
Language compilers and transpilers (TypeScript, SCSS, Babel, etc.) and the compiled result page (the output of your code) run in separate sandboxed iframes on an independent origin.
This allows code execution but prevents untrusted code from accessing the main app's cookies, localStorage, or DOM. All communication with the app uses postMessage with strict origin verification.
Embedded Playgrounds
When LiveCodes is embedded on third-party websites, the playground runs in its own sandboxed iframe and cannot access:
- The parent page's DOM or JavaScript context
- Cookies from the embedding page's origin
- localStorage or sessionStorage of the embedding page
- Any other sensitive data from the host site
The embedding page communicates with the playground only through the SDK, which uses postMessage with origin validation on both sides.
Data Storage
Local Storage
All user data — projects, assets, snippets, templates, and settings — is stored in the browser's IndexedDB and localStorage. This data is tied to the browser profile and device. Data saved anonymously and data saved under a logged-in account are stored separately to prevent cross-user leakage on shared devices.
Data in Transit
When data does leave your device, it is always encrypted in transit via HTTPS:
- Share service: Project code sent to generate short URLs
- GitHub Sync: Projects synced to your private GitHub repo
- Deployment: Result pages pushed to your GitHub Pages repo
- GitHub API: All authenticated requests use HTTPS and token-based auth
Authentication
Login with GitHub is handled through Firebase Authentication. Permissions are granted at login time and can be revoked at any time through your GitHub authorized applications. The app requests only the scopes it needs:
gistscope — for exporting to GitHub Gistsreposcope (public) — for deployment and asset hostingreposcope (private) — for importing from private repos and data sync
Authentication may set cookies on your device. By logging in, you consent to this. Logging out clears session data from the app while preserving your stored projects in local storage.
Third-Party Dependencies
LiveCodes loads language compilers, runtimes, and libraries from third-party CDNs (jsDelivr, esm.sh, unpkg, etc.) when needed by your selected languages. These dependencies run in the sandboxed compiler iframe, not in the main app context. Module imports in your code are resolved through the same sandbox.
External resources added via the External Resources feature run in the result page sandbox.
Reporting Vulnerabilities
If you discover a security vulnerability, please do not report it publicly. Instead:
- Email: [email protected]
- Contact page: livecodes.io/docs/contact
See our Security Policy for responsible disclosure guidelines.
For non-security bugs, please file an issue on the GitHub repo.
Self-Hosting
When self-hosting, you control the deployment and can configure additional security measures:
- Docker setup with automatic HTTPS via Caddy
- Separate origin sandbox for code execution
- Self-hosted share service, CORS proxy, and broadcast server
- Custom headers and security policies