Domain Whitelisting
Domain whitelisting is a security control that allows a service to be used only from pre-approved domains. For embeddable widgets and client-side APIs, domain whitelisting prevents unauthorized sites from embedding your widget or making API calls using your credentials — protecting both your usage quota and your customers' data.
Why domain whitelisting matters
Without domain restrictions, anyone who finds your widget script tag or API key could embed your support widget on their own site — consuming your query quota, confusing your analytics, and potentially exposing customer interactions. Domain whitelisting ensures only your authorized domains can use the service.
Implementation
Domain whitelisting works by checking the Origin or Referer header of incoming requests against a list of approved domains. Requests from non-whitelisted domains are rejected. This is enforced server-side, so it cannot be bypassed by client-side manipulation. Most implementations support wildcard patterns (*.yourdomain.com) for flexibility.
EchoSDK's domain whitelisting
EchoSDK lets you configure whitelisted domains per app through the dashboard or API. Only requests originating from your approved domains will be processed. This protects your query quota and ensures your support widget only appears where you intend it to.
Related terms
Embeddable Widget
A self-contained UI component that can be added to any website or app with a script tag, providing functionality like chat support without custom development.
API-First Design
A development approach where the API is designed and built as the primary interface, with any UI or widget being a consumer of that API rather than the core product.
Script Tag Integration
A deployment method where a third-party tool is added to a website by inserting a single HTML script tag, requiring no build tools or framework dependencies.