§ How it works

From a toggle in Canvas to a proven lockdown.

Seven steps. Three happen entirely on the server. Not one of them depends on a student cooperating or an instructor being careful.
7steps
3server-side
Person actsServer / SEB proves it
01 · Instructor

Enable SEB on an assessment

From the course-navigation placement, the instructor flips SEB on for a Classic or New Quiz. The tool generates the Canvas access code and writes it to the assessment itself.

Access code auto-generatedExit password required firstFirestore lock guards the write
02 · Student

Download a fresh configuration

The student connects Canvas once and requests a configuration. There is no reusable .seb link — the server mints a one-time capability and the download consumes it.

120s · single-use grantBound to your current settingsChanging settings voids old copies
03 · Server

Build and encrypt the .seb file

The server mints a fresh single-use Canvas session URL, applies the URL filter and lockdown policy, then encrypts the file to your public certificate.

Session URL, not a copied cookieOptional start passwordSEB pkhs certificate wrap
04 · SEB

Prove the Config Key

SEB opens the config and lands on the quiz page. The detector reads the Config Key hash through the SEB JavaScript API and asks the server for a proof.

Server re-verifies independentlyStale config → no proof2-min single-use token
05 · Server

Release the access code, once

The detector redeems the proof. The server returns the access code, the approved-tool list, and an exit grant — under no-store headers, bound to the verified session.

POST-only, consumes the tokenno-store responseFilled in, never shown
06 · Student

Take the exam

Canvas and the approved tools load; nothing else does. The SEB URL filter is the control — the sidebar in the page only shows what is already permitted.

Approved tools onlySwitching · VMs · capture blockedCanvas behavior preserved
07 · SEB

Exit on confirmed completion

The quit link appears only on Canvas-authored completion evidence. A cancelled submission confirmation does not exit; only the authoritative completed state does.

Canvas confirms it is doneHMAC-bound quit URLUnbound quit routes → 410

What happens when someone tries

The interesting part is what fails

A control is only worth describing if you can say what it stops. These are the attempts the flow is shaped around.

Copies the .seb file to their own laptop

It will not decrypt. The private identity lives only on approved managed devices, and the service never holds it.

Reuses last week's working config

Its settings fingerprint no longer matches, so Config Key proof fails and no code is returned.

Opens the quiz in a normal browser

There is no SEB JavaScript API to produce a Config Key hash, so no proof exists and Canvas still demands the code.

Replays the request that returned the code

The proof token is single-use, expires in two minutes, and the response is no-store and session-bound.

Tries to quit part-way through

Quitting needs the exit password, and the in-exam quit link only appears once Canvas reports the assessment authoritatively complete.

One piece lives in Canvas

A detector script, loaded by your theme

The in-page half of the flow is a small script served from the deployment and loaded through your Canvas account theme. It runs only on assessment routes.

In the pagerequests →Server verifies

Served from the stable path /js/canvas-seb-detector.js. The script is only an affordance — the SEB URL filter in the configuration is the control.

What it does on the quiz page

  • 01Render the SEB-required view and launch handoff
  • 02Read the Config Key hash via the SEB JS API
  • 03Request a proof, redeem it, fill the code prompt
  • 04Show the approved exam tools
  • 05Detect completion and surface the bound quit link

Want the control-by-control version?

The security page covers launch validation, replay, expiry, and the limits we will not paper over.

Read the security model →