Securing Your AI Widget with Domain Whitelisting

What is domain whitelisting and why do I need it?

Direct answer: Domain whitelisting restricts which websites can embed your ChatNexus agent widget. Without it, anyone could embed your widget on their site and drain your credits. With it, only your approved domains can use your agent.

Example: you whitelist example.com and blog.example.com. If someone tries to embed your widget on attacker.com, ChatNexus blocks the request. This prevents credit abuse and protects your data.

How do I set up domain whitelisting?

Direct answer: Go to your ChatNexus agent → <strong>Security</strong> or <strong>Widget Settings</strong> → <strong>Allowed Domains</strong> → add your domains (e.g., <code>example.com</code>, <code>subdomain.example.com</code>) → save.

You can use exact domain matches or wildcards (e.g., *.example.com allows all subdomains). Use root domains without http:// or www—ChatNexus normalizes them automatically.

How does ChatNexus validate the origin of widget requests?

Direct answer: When a browser loads your widget iframe, it sends an <code>Origin</code> header that tells the server which domain the request came from. ChatNexus compares this header against your whitelist. If it matches, the widget loads. If not, it's blocked.

This is a browser-level security feature (CORS). The server cannot spoof the Origin header—it's set by the browser and cannot be forged by JavaScript. MDN CORS documentation explains how this works in detail.

Can I embed my widget on localhost during development?

Direct answer: Yes. Add <code>localhost:3000</code> (or your dev port) to the allowed domains list. Remove it before deploying to production.

For local development, use localhost with your dev server port. For testing on a local network, you can add your machine's IP (e.g., 192.168.1.100:3000).

What happens if the domain whitelist is empty?

Direct answer: By default (if you don't configure a whitelist), ChatNexus allows embeds from any domain. This is convenient for quick testing but risky in production because anyone can abuse your widget.

It's best practice to set up a whitelist on day one, even if it's just one domain. You can always add more later. See domain whitelisting security best practices for more details.

Deploy an AI agent on your site in minutes

Connect your knowledge base, embed on any domain, and start free — no credit card required.

Create Your AI Agent Free