Domain Restriction
Whitelist specific domains to prevent unauthorized form submissions
Domain restriction allows you to whitelist specific domains from which your forms can accept submissions. This adds an important security layer by preventing unauthorized use of your forms on untrusted websites.
How It Works
When domain restriction is enabled, Static Forms checks the Origin or Referer header of each form submission. If the domain doesn't match your whitelist, the submission is rejected with a clear error message.
- Only whitelisted domains can submit forms
- Automatic subdomain support (e.g., adding "example.com" allows "app.example.com")
- Optional localhost bypass for development
- Maximum 20 domains per account
- Independent settings for each child account
Setup Instructions
1. Enable Domain Restriction
Navigate to Settings → Domain Restriction
2. Add Approved Domains
Enter your domains without the protocol (https://). For example:
Invalid formats:
3. Configure Localhost Bypass (Optional)
Enable the "Allow Localhost" toggle to test forms during local development without adding localhost to your whitelist. This allows submissions from:
- localhost
- 127.0.0.1
- *.localhost (e.g., app.localhost)
- ::1 (IPv6 localhost)
4. Save Configuration
Click "Save Configuration" to activate domain restriction for your forms.
Subdomain Support
When you add a domain to your whitelist, all subdomains are automatically allowed. For example:
Adding example.com to your whitelist automatically allows:
- example.com
- www.example.com
- app.example.com
- staging.example.com
- Any other subdomain of example.com
Child Accounts
Each child account can have its own independent domain restriction settings. Child accounts do not inherit the parent account's domain whitelist.
To configure domain restriction for a child account, go to the "Child Accounts" tab in the Domain Restriction settings.
Error Handling
When a form submission is rejected due to domain restriction, users will see a clear error message:
This error is logged in your account for monitoring unauthorized access attempts.
Best Practices
- Add all your production and staging domains before enabling
- Enable localhost bypass during development
- Keep your domain list up to date when deploying to new environments
- Monitor the error logs for unauthorized access attempts
- Use subdomain support to avoid adding every subdomain individually
Use Cases
Prevent API Key Abuse
If someone discovers your API key (e.g., from inspecting your HTML), they won't be able to use it on their own website. The form will only work on your approved domains.
Multi-Site Management
Manage multiple websites under one account with child accounts. Each child account can have its own domain whitelist for granular control.
Development vs Production
Use different child accounts for development and production, each with their own domain restrictions. Enable localhost bypass on your development child account.
Troubleshooting
Forms Not Working After Enabling
If your forms stop working after enabling domain restriction:
- Verify the domain is in your whitelist exactly as it appears in the browser
- Check if you're using www vs non-www (both should work with subdomain support)
- Ensure you entered the domain without https:// or paths
- For local testing, enable the "Allow Localhost" toggle
Origin/Referer Headers Missing
In rare cases, browsers or network configurations may strip Origin/Referer headers. If this happens:
- Check your browser's privacy settings
- Verify no browser extensions are blocking headers
- Check if a reverse proxy is stripping headers