# Configure Web Security Domain
How to configure a web security domain
For Web applications, it is less difficult to steal userPoolId/secret, so we need to take some special defense measures. The key point is that we need to be able to ensure that after others steal your userPoolId, they will not be able to directly use your server resources. The web side can restrict the source of the request through the
Web security domain name, which can simply prevent the theft of web server resources.
// cross domain www.a.com:8080 www.a.com // cross domain www.a.com:8080 www.a.com:80 // cross domain a.com www.a.com // cross domain xxx.a.com www.a.com // Different protocols, cross-domain http: https:
This will prevent others from embezzling your server resources through other addresses on the Internet. But it should be noted that the purpose of Web security domain name is to prevent malicious deployment, not to prevent forgery of dirty data (malicious users may still access application data by binding the host), so you must check the data For more fine-grained control, it needs to be used with ACL.
For use in WebView, it is recommended to load a deployed Web with a domain name through WebView, and then cache it locally, so that it can be restricted by Web Security Domain Name.
Web security domain names are valid only when operating sensitive information, such as modifying user information and deleting users. Public interfaces, such as login and registration, are not affected by Web security domain names.