Security Considerations

There is one potential risk with using the Client-Side Completion URL. Because the URL is typically accessed directly by the participant (their browser is redirected to it), they also have access to view the parameters in the URL. The completion URL contains a key specific to your study, as well as an ID (the survey code number) to indicate which participant should be granted credit.

The risk is that a participant could use this URL and start trying other ID (survey code numbers) to grant other participants credit. In order for this scheme to work, all of the following must be true:

  • They must be able to guess an ID number used by another participant. The ID numbers are not necessarily sequential.
  • The other participant must be signed up for this study.
  • The other participant must not already have received credit for this study (i.e. they are in Awaiting Action state).

It’s fairly unlikely that all three situations will occur, and it’s a lot of work for a participant to guess all possible ID numbers, although this can be automated. If this is of concern the best option is to use the Server-Side Completion URL, since that is a communication from server to server. Thus participants will not see the communication. The drawback is that most commercial survey products do not support the use of the Server-Side Completion URL; so additional programming would be required.

Related Docs