Documentation
Documentation
Development
Quickstart
Initialization
Embedding
Sending Data
Fetching Data
Mapping Data
Handling Errors
Security
Nesting Components
Features
Login
Register
Two-Factor
Feed
3rd-Party Integrations
Authy
reCAPTCHA
Stripe
Powered by GitBook
Have an account? Sign in

Security

Last updated 9 months ago

Keep your users safe by following these security best practices.

Whitelist Domains

In order to embed Mason features in your application, you must any domains from which requests will originate. Domains must match exactly, so if you will serve from example.com and www.example.com you must whitelist both domains. Wildcards are not accepted.

You must whitelist your domains for each component.

  1. Open the Settings panel in the tool left sidebar.

  2. Under Whitelist Domains, add each domain requests will originate from separated by a comma.

  3. Save

Verify Server-side Requests

Mason may send server-to-server requests in the event it needs to transmit a private key, or to inform your application an event has occurred that is vulnerable to spoofing. In this case, we will always include a user specificverificationToken parameter in the JSON request body. You should store this token in your server-side application (not in a public repo!) and verify it prior to accepting any server-to-server requests from Mason.

handler(req, res) {
    if (req.body.verificationToken !== process.env.MASON_VERIFICATION_TOKEN) {
        res.status(401).end();
        return;
    }
    ...
}

Requests originating client-side will not contain a verification token, since that would expose it.

Development - Previous
Handling Errors
Next - Development
Nesting Components
Contents
Whitelist DomainsVerify Server-side Requests