On-Premises Deployment Technical Notes

Diagram of the On-Premises Deployment


On-Premises Key Notes

Code Information​JavaScript, HTML and CSS Library of files hosted by client.​
Configuration JSON file, hosted by Verint, is requested on the first page load and moved to browser storage for remainder of visit.
Cookie Information​One first-party persistent cookie (encrypted and compressed) hosted under the site domain (clientsite.com)​.
No third-party cookies required unless you put the Web SDK in a domain other than the main HTML page.
Network Calls to Verint XMOne call per visit to Content Publishing server to pull down a JSON file containing configurations for Survey, Feedback, and Replay​.

JSON files are parsed (not executed) by the browser using native parsing capabilities. Network connections are secured with SSL. JSON files are produced by our publishing system, which is secured by various means and has both at-rest and end-to-end in-motion encryption.
Survey Presentation and Submission​Verint hosts the survey questionnaire and the respondent data.
Code Version UpdatesMaintained by the client.

App Server Requirements

The client code is entirely browser side, but there are some nuances that could affect your deployment depending on how you have your app server configured.

URL Length Limits

Most modern web servers have an enforced URL length limit of 8 kilobytes (KB). Predictive Experience Feedback product can (on occasion) produce URL's as long as 2KB or 3KB when loading our survey, depending on how many CPPs have been set for the session. This normally is not a problem, but if the server that is serving up the fs.feedbacksurvey.html file is enforcing a 2KB limit, then you might occasionally trigger a server error for the user with Feedback.

Another option for setting CPPs is to use the CPP API. This can be helpful if URL length limits do not allow setting of certain CPPs in the URL.

Security Headers

If you are serving the Verint files from the same domain or origin as your primary website, then implementing any security headers (specifically the X-FRAME-OPTIONS or Content Security Policy) isn't expected to be an issue.

If, however, you are serving the files from a different domain, you must pay attention to what headers are being set for the Verint XM files. For example: if your website is hosted at http://www.retailwebsite.com but your Verint XM files are hosted at http://retailwebsitecdn.com then you must pay attention to these headers. Specifically, avoid any X-Frame-Options settings that disallow cross-domain communication. For example:

  • X-Frame-Options: DENY
  • X-Frame-Options: SAMEORIGIN

You can still have an X-Frame-Options header if you whitelist your own domains using ALLOW-FROM. See [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options] for more information.

The other problematic header is the Content Security Policy (X-Content-Security-Policy). This can also be set with a <meta /> tag. If you're using a CSP, you must whitelist your own domain for cross-site-scripting and for loading of iFrames. A blanket policy that should make requests from your website safe might look like:

  • Content-Security-Policy: default-src 'self' *.retailwebsite.com