Performance and security

Use this guide to keep Messenger fast, stable, and secure in production environments.

What it is

This page covers:

• Lazy loading controls
• Live chat loader mode
• Secure identity verification
• CSP policy baselines

Where to find it in OXVO

• Settings → Inboxes → [Your inbox] → Installation for runtime config values
• Settings → Security for workspace-level access controls

When to use it

Use this guide before production release and during security/performance reviews.

Lazy loading options

The SDK supports lazy settings:

lazy: {
  enabled: true,
  loadOnIdle: true,
  idleMs: 5000,
  disableOnSlowConnection: true,
}

Behavior summary:

• enabled: turns lazy mode on
• loadOnIdle: schedules load during idle time
• idleMs: fallback timeout window
• disableOnSlowConnection: skips lazy preloading on slow/data-save network profiles

Live chat loader mode

liveChatLoader: {
  enabled: true,
  appearance: {
    position: 'right',
    theme: 'auto',
    type: 'expanded_bubble',
    launcherTitle: 'Support',
    horizontalSpacing: 24,
    verticalSpacing: 24,
    messengerColor: '#2d6bff',
  },
}

Operational notes:

• liveChatLoader is off by default.
• Enabling it also forces lazy mode on.
• Appearance precedence is:
  1. default values
  2. Messenger settings
  3. liveChatLoader root values
  4. liveChatLoader.appearance values
• widgetStyle is inherited from Messenger settings and is not overridden by liveChatLoader.appearance.

Secure identity verification

For authenticated users:

1. Build identifier_hash on your backend.
2. Pass it in identify payload.
3. Rotate signing secrets using your internal security policy.

Warning: Never generate identifier hashes in browser/mobile client code.

Content Security Policy baseline

Use this as a starting template and adapt to your policy model:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://YOUR_OXVO_DOMAIN;
  connect-src 'self' https://YOUR_OXVO_DOMAIN wss://YOUR_OXVO_DOMAIN;
  frame-src https://YOUR_OXVO_DOMAIN;
  img-src 'self' data: https://YOUR_OXVO_DOMAIN;
  style-src 'self' 'unsafe-inline';

Implementation notes:

• script-src must allow OXVO SDK script host.
• frame-src must allow Messenger iframe host.
• connect-src should allow HTTPS and WebSocket traffic to your OXVO domain.
• Tighten directives further if your environment requires nonces/hashes.

Production checklist

1. Run load tests with loader mode off and on.
2. Confirm first interaction latency under your target threshold.
3. Validate identity hash behavior with both valid and invalid test signatures.
4. Verify CSP in browser report-only mode before enforcement.
5. Capture and monitor oxvo:error events.

Related guides

• Install the Messenger SDK
• Visitor identification and properties
• Listeners and events
• Methods reference

📷 Image (optional): Production hardening for Messenger SDK
Why: Gives teams a single visual checklist for lazy loading, identity verification, and CSP enforcement before launch.
File: docs/images/sdk-performance-security-checklist.png
AI prompt: "Clean SaaS documentation checklist screen for OXVO Messenger SDK production hardening with sections Lazy Loading, Live Chat Loader, Identifier Hash, CSP, and Monitoring; modern neutral UI, crisp typography, OXVO branding only, 1600x1000."