DoxyChat
Doxy Chat

Widget Security (Whitelist)

Restrict your chatbot usage to authorized domains only.

This article is available in: Français

Secure Your Widget with the Whitelist

Protect your chatbot against unauthorized use and credit theft by limiting its display to your own websites.

Introduction

Your widget’s integration code (the JavaScript snippet) contains a public API key. Without protection, anyone could copy this code from your site and install it on theirs. This would result in consuming your message quotas and exposing your data to an unwanted audience.

To counter this, DoxyChat uses a domain Whitelist system (Origin Allow). The chatbot will only function on the web addresses you have explicitly authorized.

Configuration Procedure

  1. Go to the Security tab (or Settings) of your chatbot.
  2. Locate the Authorized Domains (Whitelist) section.
  3. Click on the input field to add a domain.
  4. Enter your website’s URL.
  5. Press “Enter” or click on Add to validate the line.
  6. Do not forget to Save the changes.

Formatting Best Practices (Important)

For security to work correctly, addresses must be entered accurately:

  • Include the protocol: Always start with https:// (or http:// for testing environments).
  • Watch out for subdomains: https://mysite.com and https://www.mysite.com are considered two different sites. Remember to add both if your site is accessible via these two addresses.
  • No trailing slash: Remove the final /.
    • ✅ Correct: https://www.mycompany.com
    • ❌ Incorrect: https://www.mycompany.com/
  • Do not include specific pages: Authorize the root domain, not individual pages (no https://mysite.com/contact).

Troubleshooting and FAQ

I installed the code but the chat bubble does not appear. This is the number one symptom of a missing domain in the whitelist. Open your browser console (F12): if you see a “CORS” or “403 Forbidden / Origin not allowed” error, it means you must add your site’s current URL in the DoxyChat security settings.

What happens if I leave the list empty? By default, upon bot creation, if the list is empty, the widget is considered “open to all” to facilitate your initial tests. As soon as you add a first domain, the security lock activates automatically.