Security

Allowed Domains

Your API key will be restricted such that any requests using that key must come from a list of allowed domains. An initial list will be set up for you during onboarding, based on the information provided up to that point.

Generally, entire domains (whether naked or with a subdomain) are acceptable if you are in control of the domain (e.g. yourmarketplace.com), while domains from hosted development platforms such as Vercel, Netfliy, etc. must be restricted to specific subdomains, e.g. yourmarketplace-asdf-1234.vercel.app. Wildcards are acceptable, but must be limited in scope.

Cross-Origin Resource Sharing (CORS) Policies

In order to pass the API gateway, requests for authenticated endpoints must send a header which includes the origin, with a value matching an entry from the allowlist. You do not need to worry about passing the header, as this is done automatically by the browser. However, your web server must set a content policy which directs the browser to include this header.

This is generally accomplished by sending the Referrer-Policy header with values such as strict-origin-when-cross-origin (the default), origin, or related directives. Using directives such as no-referrer, same-origin or related will result in the browser not sending the header, and the request will fail. Alternatively, you can set the content policy via a <meta> tag instead of an HTTP header.

On occasion, other headers may be sent via the web server which affect the content policy and may result in requests being blocked, including Content-Security-Policy. Please refer to documentation such as the MDN Web Docs for more information.