Allowed Origins & CORS Security
Secure your TellBack installation by specifying exact allowed domains. Prevent unauthorized widget script initialization and API requests.
To protect your account quota and ensure that bug reports are only received from your official staging or production domains, TellBack enforces origin whitelisting via CORS validation in our backend APIs.
What is an Origin?
An origin is defined by the browser as the combination of the URI scheme (protocol), domain (host), and port.
All three components must match exactly. Any variation will result in a CORS blocker error.
Valid Origin Examples
https://example.com(Default HTTPS scheme, no port specified)https://www.example.com(Subdomains are treated as separate origins!)https://staging.example.com(A staging site origin)http://localhost:3000(Local testing server on port 3000. Protocol ishttp)
How to Configure Allowed Origins
- Navigate to your TellBack dashboard.
- Go to Settings > Sites and select your active Site.
- Locate the Allowed Origins list.
- Input your target origins and click Save.
No Wildcards Supported:
TellBack matches origins using exact string checks in our backend database. Wildcard patterns like *.example.com or https://* are not supported. You must list every domain, subdomain, and development port explicitly.
Common Configuration Mistakes
Ensure your origin entries do not fall into these common pitfalls:
- Adding trailing slashes or paths:
- ✗
https://example.com/(Trailing slash) - ✗
https://example.com/dashboard(Path included) - ✓
https://example.com
- ✗
- Missing the protocol scheme:
- ✗
example.com - ✓
https://example.com
- ✗
- Mismatching WWW vs. Non-WWW:
If your site redirectsexample.comtowww.example.com, ensure thewwwversion is added. - Mismatching ports:
http://localhost:3000andhttp://localhost:5173are distinct origins. Ensure your local config matches your exact frontend dev server port. - Testing localhost while only production is whitelisted:
Remember to addhttp://localhost:3000during development cycles.
Troubleshooting CORS Blocker Errors
If your widget is loaded on a site but fails to render, check the browser console. If you see a 403 Forbidden or CORS Error on requests to https://tellback.io/api/, it indicates that the current page's origin has not been added to your Site's Allowed Origins.
Once you add the correct origin in the dashboard, the changes are active instantly (no script reinstall or server restart required).
Privacy Responsibility
Site owners are responsible for providing appropriate visitor notices and obtaining any required consent for feedback collection, pageview tracking, session context, replay, audio, screenshots, and AI processing.