Security

Allowed-domains whitelist

Every project has an Allowed Domains list. The widget script is only delivered to page loads whose Referer matches one of those domains. A request from any other host gets a 403 and no script is served.

Set this list under Settings → Widget → Allowed Domains. Add every hostname you intend to serve the widget from — for example example.com, www.example.com, shop.example.com. If the list is empty the widget cannot be loaded from any domain, which effectively disables it.

Local development

Add localhost to the allowed-domains list while you're developing. Remove it before going live.

Anti-spam on the pre-chat form

You can require Cloudflare Turnstile or Google reCAPTCHA on the visitor's pre-chat form to stop bots from burning your LLM budget. Configure the site key under Settings → Widget → Security.

Turnstile is preferred because it's free and privacy-friendly.

What the widget sees

The widget sees:

  • The questions visitors type
  • Whatever contact info the pre-chat form collects
  • Any object you pass via window.aiSupportWidgetData or setUserData() — see Widget JS API

The widget does not see:

  • DOM content, cookies, or localStorage of the host page
  • Session data or user info from your site unless you pass it explicitly
  • Anything on pages it's not loaded on

Project isolation

Each project has its own knowledge base, widget, conversations, and billing. A visitor on Project A's widget cannot reach Project B's data. The projectId in the script URL scopes everything.

Compliance note

Aira is not HIPAA-enabled, is not a banking integration, and should not be used to collect protected health information or financial account data. See the Healthcare and Finance solution pages for what it is and isn't appropriate for.

Reporting a security issue

Email [email protected]. Do not open a public issue.

Security — Docs — Aira