Authing Docs

# Configure Web Security Domain

How to configure a web security domain

For Web applications, it is less difficult to steal userPoolId/secret, so we need to take some special defense measures. The key point is that we need to be able to ensure that after others steal your userPoolId, they will not be able to directly use your server resources. The web side can restrict the source of the request through the Web security domain name, which can simply prevent the theft of web server resources.

After setting the "Web Security Domain Name", you can only call server resources through JavaScript SDK under that domain name. The domain name configuration policy is consistent with the browser domain security policy. The domain name protocol, domain, and port number must be strictly consistent, and subdomains and port numbers are not supported. Wildcard. So if you want to configure a domain name, you must write down the protocol, domain, and port. Missing one may cause access to be prohibited. Give an example to illustrate the difference between domain names:

// cross domain
www.a.com:8080
www.a.com

// cross domain
www.a.com:8080
www.a.com:80

// cross domain
a.com
www.a.com

// cross domain
xxx.a.com
www.a.com

// Different protocols, cross-domain
http:
https:

This will prevent others from embezzling your server resources through other addresses on the Internet. But it should be noted that the purpose of Web security domain name is to prevent malicious deployment, not to prevent forgery of dirty data (malicious users may still access application data by binding the host), so you must check the data For more fine-grained control, it needs to be used with ACL.

For use in WebView, it is recommended to load a deployed Web with a domain name through WebView, and then cache it locally, so that it can be restricted by Web Security Domain Name.

If you use the JavaScript SDK on the front end, when you plan to officially release it, please be sure to configure the Web security domain name by entering Control Panel > Basic Settings > Web Security Domain Name.

Web security domain names are valid only when operating sensitive information, such as modifying user information and deleting users. Public interfaces, such as login and registration, are not affected by Web security domain names.

← Configure user pool password strength →