Documentation
Documentation
Documentation
Development
Quickstart
Initialization
Embedding
Pages
Forms: Sending Data
Datasources: Fetching Data
Mapping Data
Custom event listeners
URL Parameters
Handling Errors
Security
Nesting Components
3rd-Party Integrations
reCAPTCHA
Stripe
Powered by GitBook

Security

Keep your users safe by following these security best practices.

Whitelist Domains

In order to embed Mason features in your application, you must any domains from which requests will originate. Domains must match exactly, so if you will serve from example.com and www.example.com you must whitelist both domains. Wildcards are not accepted.

You must whitelist your domains for each component.

  1. Open the Settings panel in the tool left sidebar.

  2. Under Whitelist Domains, add each domain requests will originate from separated by a comma.

  3. Save

Verify Server-side Requests

Mason may send server-to-server requests in the event it needs to transmit a private key, or to inform your application an event has occurred that is vulnerable to spoofing. In this case, we will always include a user specificverificationToken parameter in the JSON request body. You should store this token in your server-side application (not in a public repo!) and verify it prior to accepting any server-to-server requests from Mason.

handler(req, res) {
    if (req.body.verificationToken !== process.env.MASON_VERIFICATION_TOKEN) {
        res.status(401).end();
        return;
    }
    ...
}

Requests originating client-side will not contain a verification token, since that would expose it.

Development - Previous
Handling Errors
Next - Development
Nesting Components
Last updated 1 year ago
Contents
Whitelist Domains
Verify Server-side Requests