Domain Management Guide
Control which websites can use your feedback widget with domain restrictions.
Overview
Domain restrictions allow you to:
- Prevent unauthorized use of your widget on other websites
- Protect against spam from unknown sources
- Control deployment across multiple domains
- Support wildcards for subdomains
Default behavior: If no domains are configured, widget accepts feedback from any website.
Accessing Domain Settings
- Sign in to Miniback dashboard
- Navigate to your project
- Scroll to “Security Settings” section
- See “Allowed Domains” configuration
Adding Domains
Basic Domain
Add a single domain:
- Enter domain in the input field:
example.com - Click the ”+” (Add) button
- Domain appears in the list below
- Saves automatically
Examples:
example.com
mywebsite.org
feedback.company.ioDomain Format
Include:
- ✅ Domain only:
example.com - ✅ Subdomain:
app.example.com - ✅ Wildcard:
*.example.com
Don’t include:
- ❌ Protocol:
https://example.com - ❌ Port:
example.com:3000 - ❌ Path:
example.com/page - ❌ Trailing slash:
example.com/
Wildcard Patterns
Subdomain Wildcards
Match all subdomains of a domain:
Pattern: *.example.com
Matches:
- ✅
app.example.com - ✅
staging.example.com - ✅
dev.example.com - ✅
www.example.com
Does NOT match:
- ❌
example.com(root domain) - ❌
api.app.example.com(nested subdomain)
Root + Subdomains
To allow both root and subdomains:
example.com
*.example.comNow matches:
- ✅
example.com - ✅
app.example.com - ✅
staging.example.com - ✅
www.example.com
Common Patterns
Single Production Site
example.com
www.example.comUse for: Simple websites with/without www
Production + Staging
example.com
staging.example.comUse for: Separate staging environment
All Subdomains
*.example.comUse for: Multi-tenant apps, dynamic subdomains
Multiple Domains
example.com
example.org
example.netUse for: Multiple top-level domains
Development + Production
localhost
*.example.com
example.comUse for: Local development + all environments
Localhost & Development
Allowing Local Development
Add these for local testing:
localhost
127.0.0.1Port handling:
- Ports are ignored in matching
localhost:3000matcheslocalhostlocalhost:8080matcheslocalhost
Development Servers
localhost
*.local
dev.example.comRemove Before Production
⚠️ Important: Remove localhost before production deployment to prevent local testing submissions mixing with real data.
Removing Domains
- Find domain in the allowed domains list
- Click the “X” (Remove) button next to domain
- Confirm removal
- Domain removed immediately
Effect: Widget submissions from that domain are now blocked.
How Domain Restriction Works
Submission Flow
- User submits feedback via widget
- Widget includes origin domain in request
- Miniback checks allowed domains
- If match found: ✅ Accept feedback
- If no match: ❌ Reject with “Domain not allowed” error
Checking Logic
Empty list (no domains configured):
- Accepts from any domain
- ⚠️ Warning shown in dashboard
With domains configured:
Submitted from: app.staging.example.com
Allowed domains:
- *.example.com ✅ MATCH (wildcard)
- example.org ❌ No match
Result: ✅ AcceptedSecurity Best Practices
Always Configure Domains
Even if you trust your users:
- Prevents widget hijacking
- Stops spam submissions
- Maintains data quality
Principle of Least Privilege
Only allow domains you control:
- ❌ Don’t allow
*(all domains) - ✅ Explicitly list each domain
- ✅ Use wildcards only when necessary
Regular Audits
Review allowed domains:
- Remove old staging/dev domains
- Update after domain changes
- Clean up test domains
Separate Projects for Different Domains
For unrelated websites:
- Create separate projects
- Configure domains independently
- Isolate feedback by site
Testing Domain Restrictions
Step 1: Configure Domains
Add your test domain to allowed list.
Step 2: Submit Test Feedback
Visit your website and submit feedback via widget.
Step 3: Verify Acceptance
Check dashboard - feedback should appear.
Step 4: Test Rejection
- Remove domain from allowed list
- Try submitting feedback again
- Should see “Domain not allowed” error
- Feedback should NOT appear in dashboard
Debug with Browser Console
Open DevTools (F12) → Console:
// Successful submission
✅ Feedback submitted successfully
// Rejected submission
❌ Error: Domain not allowedCommon Issues
Widget Not Working After Adding Domains
Problem: Forgot to add your actual domain
Solution:
- Check current domain in browser address bar
- Add exact domain to allowed list
- Include
wwwif applicable
Wildcard Not Matching
Problem: *.example.com doesn’t match example.com
Solution:
# Add both:
example.com
*.example.comDevelopment vs Production
Problem: Works locally but not in production
Solution:
- Add production domain to allowed list
- Remove
localhostbefore deployment - Test on production domain
Subdomain Issues
Problem: app.staging.example.com not matching *.example.com
Solution: Wildcards only match one subdomain level. For nested subdomains:
*.staging.example.comEnvironment-Specific Configurations
Development
localhost
127.0.0.1
*.local
dev.example.comStaging
staging.example.com
test.example.com
uat.example.comProduction
example.com
www.example.comBest Practice: Separate Projects
Better approach:
- Project 1 (Dev): Allow
localhost,*.dev.example.com - Project 2 (Staging): Allow
staging.example.com - Project 3 (Production): Allow
example.com,www.example.com
Benefits:
- Isolated feedback per environment
- No cleanup needed
- Better analytics
Advanced Scenarios
CDN/Proxy Domains
If using CDN (Cloudflare, etc.):
- Add origin domain (where widget is embedded)
- CDN domain typically doesn’t affect origin
Iframe Embedding
Domain restriction checks the parent page domain, not iframe domain.
Example:
Page: example.com
Iframe: widgets.miniback.io
→ Checks: example.com
→ Add: example.com to allowed listMobile Apps
Domain restrictions don’t apply to:
- Native mobile apps (iOS/Android)
- Desktop applications (Electron)
These use API directly with API keys.
Third-Party Platforms
Webflow, Wix, etc.:
- Find your published site domain
- Add that domain to allowed list
- May include platform subdomains
Troubleshooting
“Domain not allowed” error:
- Check browser address bar for exact domain
- Add to allowed domains (including www if needed)
- Test submission again
- Clear browser cache if needed
Widget works on some pages, not others:
- Check if pages are on different subdomains
- Add wildcard or specific subdomains
Changes not taking effect:
- Domain settings save automatically
- No cache - changes immediate
- Try hard refresh (Ctrl+F5)
Disabling Domain Restrictions
To allow from any domain:
- Remove all domains from allowed list
- Leave field empty
- ⚠️ Warning appears: “No domains configured”
Use with caution: Only for internal/trusted deployments.
What’s Next?
- Security - Other security features
- Installation - Widget setup
- API Security - API key management
Need help? See Troubleshooting or contact support.