Security
Keep your users safe by following these security best practices.
In order to embed Mason features in your application, you must any domains from which requests will originate. Domains must match exactly, so if you will serve from example.com and www.example.com you must whitelist both domains. Wildcards are not accepted.
You must whitelist your domains for each component.
Open the Settings panel in the tool left sidebar.
Under Whitelist Domains, add each domain requests will originate from separated by a comma.
Save
Mason may send server-to-server requests in the event it needs to transmit a private key, or to inform your application an event has occurred that is vulnerable to spoofing. In this case, we will always include a user specificverificationToken parameter in the JSON request body. You should store this token in your server-side application (not in a public repo!) and verify it prior to accepting any server-to-server requests from Mason.
handler(req, res) {if (req.body.verificationToken !== process.env.MASON_VERIFICATION_TOKEN) {res.status(401).end();return;}...}
Requests originating client-side will not contain a verification token, since that would expose it.