Logo

Advanced topics

How to use whitelisted domains

The Whitelisted Domains feature provides an essential security control for your data collection. By specifying an "allow list" of domains, you can ensure that your Collector only accepts data from your trusted web properties, blocking unwanted data from scrapers, bots, or development environments.

Overview

This feature allows Administrators to specify and edit a list of allowed domain suffixes (e.g., your-company.com) directly on the Collector's configuration page. The system then validates incoming requests against this list.

  • Subdomains are included: The system uses a suffix-match, so whitelisting your-company.com will also automatically allow requests from app.your-company.com and video.your-company.com.

  • Permissions: Administrators can edit the list, while Standard Users can only view it.

How to Configure

Admins can find the domain settings on the Collector's Integration tab.

  1. Navigate to the Collectors page and select the collector you wish to configure.

  2. Click on the Integration tab.

  3. Scroll to the Collector Domains section.

Adding Domains

Once you have entered text into the first domain field, an + Add button will become visible. Click the + Add button to append a new, empty input field to the bottom of the list.

Removing Domains

To remove a domain, click the remove icon (e.g., a trashcan or 'x') next to the domain entry you wish to delete. The item will be immediately removed from the list. Note: The first item in the list may not have a remove icon. To remove it, simply clear the text.

How Domain Validation Works

When a request is made to your Collector, the system checks the request’s Origin header. Here is how the logic is applied:

Scenario

Request Headers

Whitelist Status

System Action

Match Found

Origin header matches a domain (suffix-match).

List is configured.

Returns the full, correct collector configuration (200 OK).

No Match

Origin header is present but does not match any domain.

List is configured.

Returns an empty (but valid) JSON configuration (200 OK). Subsequent data POSTs from this origin are rejected.

Empty Whitelist

Any.

No domains are saved in the whitelist.

Validation is skipped. Returns the full configuration.

Missing Headers

Origin headers are both absent.

List is configured.

Validation is skipped. Typical case for non-browser integrations. Returns the full configuration (200 OK). This allows server-to-server integrations to function.

Standard User View

Standard Users can see the list of domains but cannot make changes.

Previous
How to enable console logging
Next
How to use the Collector Proxy