Skip to content

Security

  • Always set an explicit targetOriginnever * in production.
  • Validate event.origin and event.source on inbound messages (use isTrustedPostMessageEvent).
  • Prefer short-lived tokens and refresh them via updateAuthToken() before expiry.
  • Avoid exposing Segmentify API keys in client-side code where possible — prefer a partner backend-for-frontend (BFF) proxy.
  • Call controller.dispose() (iframe) or unmount() (mount) when removing CDP.
Content-Security-Policy: frame-src https://cdp.segmentify.com;
  • Add partner domains to the API CORS allowlist.
  • Issue scoped API keys per partner (least privilege).
  • Serve CDP embed pages with a frame-ancestors policy restricted to partner domains.
  • Support token refresh via SEGMENTIFY_HOST_AUTH_UPDATE.
  • Log SEGMENTIFY_MFE_ERROR events reported by embeds.

CSP on the CDP embed origin (set by Segmentify)

Section titled “CSP on the CDP embed origin (set by Segmentify)”
Content-Security-Policy: frame-ancestors https://partner.example.com;

CDP API calls originate from the browser. The partner origin must be on the Segmentify API CORS allowlist, or the calls should be proxied through a partner BFF. CORS failures show up as blocked network requests — see Troubleshooting.