Everything you need to know.
How is SmartField different from HTTPS?+
HTTPS encrypts data in transit. between the browser and server. But your password exists as plaintext in the browser's DOM before it's sent. Any JavaScript (trackers, XSS, extensions) can read it. SmartField encrypts the data inside the browser, before it ever touches the DOM. Even if someone injects JavaScript, they only get encrypted gibberish.
Can a hacker access the Shadow DOM?+
SmartField uses a closed Shadow DOM (mode: 'closed'). JavaScript outside the component cannot access shadowRoot. it returns null. querySelector, innerHTML, textContent. all return empty. Chrome DevTools can inspect it (requires physical access to the machine), but no remote script can read the contents.
What about screen recorders, screenshots, and Hotjar?+
Screen recorders capture what's visible on screen. SmartField displays animated cipher characters (ΣΩΞΟΞΎΞ») instead of real text. changing 8 times per second. When the page loses focus (screenshot, app switch, screen share), all characters instantly scramble. Print Screen triggers immediate randomization. Even if Hotjar records the entire session, they only capture encrypted symbols. The real data never appears on screen.
Do you store my users' data?+
No. Zero. Nothing. SmartField has a zero-data architecture. We never see your users' passwords, credit cards, or any personal data. We never see your encryption keys. All encryption happens in the user's browser. All decryption happens on YOUR server, with YOUR private keys, on YOUR infrastructure. We only serve the JavaScript component. like a CDN. If SmartField gets hacked, there is literally nothing to steal: no passwords, no keys, no user data, no database of secrets. Just a JavaScript file and service infrastructure.
How does the server decrypt the data?+
SmartField uses hybrid encryption: AES-256-GCM encrypts the data (fast), then RSA-2048 encrypts the AES key (secure). Your server holds the RSA private key and decrypts with a single function call. We provide SDKs for Node.js, Python, PHP, Java, and Go.
Does it work with React, Vue, Angular?+
Yes. SmartField is a standard Web Component. It works with any framework or no framework at all. Just add the script tag and use <smart-field> in your HTML/JSX/template. No adapters, no plugins, no wrappers needed.
Is it slower than a normal input?+
Encryption happens asynchronously using the browser's native Web Crypto API (hardware-accelerated on most devices). The user experiences zero delay. cipher characters appear instantly. AES-256 encryption takes less than 1ms per keystroke.
How does SmartField block bots and AI?+
Bots and AI agents interact with forms using JavaScript: querySelector, .value, Puppeteer, Selenium. SmartField's closed Shadow DOM makes the input invisible to all of these. There's no element to find, no value to set, no DOM to read. Only real human keystrokes inside the component work. No CAPTCHA needed. bots are blocked by architecture, not by puzzles.
What are security modes?+
SmartField offers 3 security modes to balance usability and protection. Max: you never see the real text, only cipher characters. maximum security for seed phrases and classified data. Peek: hold a shield button to reveal text for up to 5 seconds, then it re-encrypts visually. Brief: each character is visible for 1 second after typing, then transforms into cipher. like phone PIN entry. All three modes use identical AES-256 + RSA-2048 encryption. Only the display changes.
What about GDPR, HIPAA, and PCI-DSS compliance?+
SmartField helps you meet compliance requirements by design. For GDPR: personal data is encrypted at the point of entry. before it can be captured by third-party scripts. For HIPAA: patient data never exists as plaintext in the browser DOM. For PCI-DSS: card numbers are encrypted per keystroke with AES-256-GCM. Enterprise plans include compliance reports, automatic key rotation, and audit-grade documentation.
"It's just a Web Component. is it really secure?"+
The Web Component is the container. The security is what's inside: 13 independent layers of protection. AES-256-GCM encryption (the same standard used by governments and military). RSA-2048 key exchange. Closed Shadow DOM that returns null to any JavaScript access. WeakMap data isolation invisible to JSON.stringify. Event propagation blocked at capture phase. Anti-screenshot scrambling. Anti-bot architecture. Anti-clipboard protection. Browser auto-save immunity. HTTPS enforcement. Stealth placeholders. Even if one layer is bypassed, the remaining 12 still protect the data. We passed 20/20 attack vectors in an independent security audit. No other input field on the internet has this.
Does SmartField work on mobile phones?+
On mobile devices, SmartField renders as a standard input field. This is by design, not a limitation. Mobile browsers (Chrome, Safari, Samsung Internet) do not allow browser extensions, which is the primary attack vector SmartField protects against on desktop. On desktop, any of the thousands of browser extensions, trackers (Hotjar, FullStory, Clarity), and injected scripts can read your password from a normal input. On mobile, this attack surface does not exist. The operating system sandboxes each app, extensions are not supported, and third-party scripts have far less access to form data. SmartField was built to protect what is still vulnerable: desktop browsers.
Can I see the source code?+
Yes. SmartField is open source on
GitHub. The component and server SDK are fully auditable. We believe security products should be transparent. if you can't read the code, how can you trust it?
What happens if the SmartField script is compromised?+
We recommend using Subresource Integrity (SRI) hashes. the browser verifies the script hasn't been tampered with before executing it. Enterprise customers can self-host the script on their own infrastructure with their own CSP rules. The source code is open for security audits on GitHub.
