Hi,
I have set my domain in the settings under Space → Site URL to be www.myheritage.com . I implemented the usage of Builder.io sections by calling your API with:
const content = await builder.get(modelName, {url: context}).promise();
When I test this section from www.myheritage.com, it works as expected. However, it also works when I test it from www.myheritage.es, which is a different domain.
Why is this happening? Shouldn’t Builder.io block requests from domains not listed in the Site URL setting? Can we get successful responses from any domain without any restriction from your side?
Thank you for your assistance.
Hello @katia.lishnevsky,
Builder.io does not enforce content domain restrictions for serving content via APIs based on the primary domain set in the Space settings. This means that the content will still be available regardless of the domain from which it is requested.
The “Site URL” setting under Space → Site URL helps with features like preview URLs and various other settings within the Builder.io interface, but it does not restrict the domains that can access the content via API calls.
Therefore, you can receive successful responses from the domain for which your app is deployed, and the builder is integrated without any restriction. This behaviour allows flexibility for previewing and testing your sections from various environments and subdomains but means that you need to implement any specific domain restrictions on your end via your API gateway or server configuration if required.
Refer to the following resources for more details:
If you need further security measures, consider implementing server-side domain permission checks or configuring your Content Security Policy accordingly.
Thanks,
1 Like
Tnx for your quick response!
but I don’t see how your suggestion about implementing any specific domain restrictions on our end via our API gateway or server configuration, can help with the case, when somebody who has our public key will try sending requests to fetch our content from your API?
do u have any solution for restricting it?
this is a must have for our company.
tnx!
Hello @katia.lishnevsky,
The way we do it is pretty standard for content management systems. Having a public key visible in API requests on the client is standard, as well as being able to fetch content with that API key. That being said, if you want to lock everything down, you can choose to make all your models private. In that case, you would need to fetch all data from the server using a private API key. Here is a forum post that talks about how to do that Create Private Pages that are accessible only after authorization
Hope this helps!
Thanks,
1 Like