# Security best practices

> Identity verification, allowed origins, CSP, and data-handling guidance.

Source: https://docs.useclad.ai/security

---

- **Verify identity with server‑minted JWTs.** Never embed the widget secret in
  frontend code. Keep tokens short‑lived.
- **Configure allowed origins** for your widget. Session creation is rejected
  from any other origin.
- **Don't send sensitive data** in `metadata`/`customFields` (passwords,
  secrets, full card numbers, tokens, PII you don't need).
- **Always `shutdown({ clearStorage: true })` on logout**, especially for shared
  devices.
- The widget renders user/agent text as plain text and sanitizes article HTML;
  the UI runs in an isolated iframe as a security boundary.
- A reasonable **Content‑Security‑Policy** on your site can allow the widget
  explicitly, e.g. `script-src https://clad-server-staging.up.railway.app; frame-src https://clad-server-staging.up.railway.app; connect-src https://clad-server-staging.up.railway.app wss://clad-server-staging.up.railway.app`.