Allowed Origins & CORS Security

Secure your TellBack installation by specifying exact allowed domains. Prevent unauthorized widget script initialization and API requests.

Last updated:

To protect your account quota and ensure that bug reports are only received from your official staging or production domains, TellBack enforces origin whitelisting via CORS validation in our backend APIs.


What is an Origin?

An origin is defined by the browser as the combination of the URI scheme (protocol), domain (host), and port.

All three components must match exactly. Any variation will result in a CORS blocker error.

Valid Origin Examples

  • https://example.com (Default HTTPS scheme, no port specified)
  • https://www.example.com (Subdomains are treated as separate origins!)
  • https://staging.example.com (A staging site origin)
  • http://localhost:3000 (Local testing server on port 3000. Protocol is http)

How to Configure Allowed Origins

  1. Navigate to your TellBack dashboard.
  2. Go to Settings > Sites and select your active Site.
  3. Locate the Allowed Origins list.
  4. Input your target origins and click Save.

No Wildcards Supported:
TellBack matches origins using exact string checks in our backend database. Wildcard patterns like *.example.com or https://* are not supported. You must list every domain, subdomain, and development port explicitly.


Common Configuration Mistakes

Ensure your origin entries do not fall into these common pitfalls:

  • Adding trailing slashes or paths:
    • https://example.com/ (Trailing slash)
    • https://example.com/dashboard (Path included)
    • https://example.com
  • Missing the protocol scheme:
    • example.com
    • https://example.com
  • Mismatching WWW vs. Non-WWW:
    If your site redirects example.com to www.example.com, ensure the www version is added.
  • Mismatching ports:
    http://localhost:3000 and http://localhost:5173 are distinct origins. Ensure your local config matches your exact frontend dev server port.
  • Testing localhost while only production is whitelisted:
    Remember to add http://localhost:3000 during development cycles.

Troubleshooting CORS Blocker Errors

If your widget is loaded on a site but fails to render, check the browser console. If you see a 403 Forbidden or CORS Error on requests to https://tellback.io/api/, it indicates that the current page's origin has not been added to your Site's Allowed Origins.

Once you add the correct origin in the dashboard, the changes are active instantly (no script reinstall or server restart required).

Privacy Responsibility
Site owners are responsible for providing appropriate visitor notices and obtaining any required consent for feedback collection, pageview tracking, session context, replay, audio, screenshots, and AI processing.