Allowed origins and CSP
Tell UserHero where the portal is allowed to load, and configure your site's CSP.
Allowed origins and CSP
The Embedded Portal runs inside an iframe served by UserHero. To prevent another website from embedding your customers' portal, UserHero verifies that every session request comes from one of the origins you have allowlisted.
Adding origins
In Settings → Embedded Portal → Allowed origins, add every origin where the portal will load, including subdomains. Each origin must be HTTPS.
Examples:
https://app.example.comhttps://staging.example.comhttps://example.com
If a customer loads the portal from an origin that isn't on the list, they see an authentication error and the session never starts.
Content Security Policy
If your site uses a Content-Security-Policy header, allow UserHero in the relevant directives:
frame-src https://userhero.co;
script-src 'self' https://userhero.co;
connect-src 'self' https://userhero.co;frame-ancestors at UserHero
UserHero sets Content-Security-Policy: frame-ancestors https: 'self'; on the portal page itself. The session handshake then enforces your allowlist on top of this — so a malicious site that strips CSP from its own response still cannot start a real session.
Local development
You can add https://localhost:PORT and https://*.your-tunnel.dev style origins for development, but make sure to remove or replace them with your real production origins before launch.