Share feedback, ideas and get community help

Updated 2 months ago

Restricting Typebot to internal users

Regarding this part in the documentation (Security):

"By default, your typebot can be executed from any origin but you can restrict the execution of your typebot to specific origins. This is useful if you want to embed your typebot in your website and prevent it from being executed on other websites by malicious actors.

For example, if you want to allow your typebot to be executed only on https://my-company.com, you can add https://my-company.com to the list of allowed origins.

If you add a URL to the list but omit https://typebot.co, then your typebot shareable URL will not work anymore."

I wanted a bit more clarification.

  1. Let's say I add my company to the list of allowed origins. This would mean only users that can access my company's website would be allowed to access the typebot, right, even if I omit the https://typebot.co part? e.g. if it was embedded into a company webpage
  2. But in the case that I DID want the typebot to be shared as a link to internal users only (e.g. in an email), I would then have to add the https://typebot.co to the beginning of the url. But now would this link, if leaked externally, be accessible to anyone outside of the company?
  3. Finally, is there any other way to restrict a typebot to internal users where, say, the group of users don't have a website or domain they control? I know password access is currently a feature request. And we could always authenticate users after they begin a chat, but that would use up one chat from our quota.
B
y
11 comments
Indeed, "If you add a URL to the list but omit https://typebot.co/, then your typebot shareable URL will not work anymore." this is wrong because the blocking system is based on CORS policies
Since, the web client URL is the same as the API (server) URL, the CORS policy allows it.
I guess we could add a "Disable shareable URL" option πŸ‘
is there any other way to restrict a typebot to internal users where, say, the group of users don't have a website or domain they control
No way for now
Hopefully it's okay for me to use this area to ask since I think it's still related to the original question about allowed origins. Does the Allowed origins URL field accept * at all? Like https://*.google.com it will allow maps.google.com, photos.google.com etc etc?
Unfortunately for now it does not accept such patterns.
I'm curious do you really need to allow several sub domains?
yes, we have a few test envs using subdomains
Then if it's just a few, I recommend adding them manually for now?
yes that's what we've done πŸ˜‰
Add a reply
Sign up and join the conversation on Discord