c.l.cladDocs

Security best practices

View as Markdown

Identity verification, allowed origins, CSP, and data-handling guidance.

  • Verify identity with server‑minted JWTs. Never embed the widget secret in frontend code. Keep tokens short‑lived.
  • Configure allowed origins for your widget. Session creation is rejected from any other origin.
  • Don't send sensitive data in metadata/customFields (passwords, secrets, full card numbers, tokens, PII you don't need).
  • Always shutdown({ clearStorage: true }) on logout, especially for shared devices.
  • The widget renders user/agent text as plain text and sanitizes article HTML; the UI runs in an isolated iframe as a security boundary.
  • A reasonable Content‑Security‑Policy on your site can allow the widget explicitly, e.g. script-src https://clad-server-staging.up.railway.app; frame-src https://clad-server-staging.up.railway.app; connect-src https://clad-server-staging.up.railway.app wss://clad-server-staging.up.railway.app.