Domain Whitelists

Domain Whitelists for Upload

Domain whitelists prevents File Picker from being embedded on unapproved websites. Whitelisting works by blocking requests that don’t contain an approved domain in the “Origin” header. It’s one way of securing your solution and your resources, so others don’t attempt to piggyback on your account. At the same time, it isn’t entirely foolproof on its own. It’s trivial to spoof an “Origin” header outside the browser, however, so while whitelisting prevents another website from freeloading off of an API key, it does not protect against attacks generally. To truly protect an account against attacks or abuse, configure it to authenticate every request with security policies.

Domain Whitelists for Delivery

Delivery domains whitelists provides developers with the ability to provide a list of domains from where their files can be downloaded from. This will limit abusers that either steal API keys or use someone else’s files on their websites. Ideologically it works in the same way as upload whitelisting. Again, this is not the ultimate security measurement to protect API keys. This feature only protects the usage of content on unauthorized websites. Although it is still possible to download files directly (for example with curl or by putting URL directly in the browser). To truly protect your assets, configure security policies.

Origin and Referer request headers

As you add the domain to whitelisting, the checkbox for blocking requests without origin or referer headers will appear below the domains list - separately for delivery and upload. Each of the checkboxes works for all domains in a specific whitelist type.

Format and restrictions

Domains should be passed in a limited glob format.

* - matches any number of characters, but not separators;

? - matches a single character, but not separators;

{ } - allows for a comma-separated list of “or” expressions;

[ ] - specifies a range - if you did: m[a-d]m it can become anything that starts and ends with m and has any character a to d in-between. For example, these would work: mam, mbm, mcm, mdm.

Domains may include port . In that case, incoming requests also need to have a matching port specified.

Protocol is ignored http:// = https://. If you provided domain with protocol included, it will be automatically removed on save.

We do not accept parentheses ( ) in domain patterns. However, you can still use curly brackets { } in your patterns.

Maximum 20 patterns per whitelist type can be passed. If you need to set more, please contact support or sales.


*domain.* ✔ true
*domain.* ✘ false
*.domain.* ✔ true
subdomain.*.com ✔ true
subdomain.*.com ✘ false
mydomain.{com,org} ✔ true
mydomain.{com,org} ✔ true
mydomain.{com,org} ✘ false
[a-n]* ✔ true
[a-n]* ✘ false