Regarding this part in the documentation (Security):
"By default, your typebot can be executed from any origin but you can restrict the execution of your typebot to specific origins. This is useful if you want to embed your typebot in your website and prevent it from being executed on other websites by malicious actors.
For example, if you want to allow your typebot to be executed only on
https://my-company.com, you can add
https://my-company.com to the list of allowed origins.
If you add a URL to the list but omit
https://typebot.co, then your typebot shareable URL will not work anymore."
I wanted a bit more clarification.
- Let's say I add my company to the list of allowed origins. This would mean only users that can access my company's website would be allowed to access the typebot, right, even if I omit the https://typebot.co part? e.g. if it was embedded into a company webpage
- But in the case that I DID want the typebot to be shared as a link to internal users only (e.g. in an email), I would then have to add the https://typebot.co to the beginning of the url. But now would this link, if leaked externally, be accessible to anyone outside of the company?
- Finally, is there any other way to restrict a typebot to internal users where, say, the group of users don't have a website or domain they control? I know password access is currently a feature request. And we could always authenticate users after they begin a chat, but that would use up one chat from our quota.
