automaton82

Yea I get that but that's the same thing CORS does. Except CORS will pass security tests since the preflight options will also fail when not on an allowed domain....

If your goal is to solve multi tenancy in cloud hosting (1 host per N clients) then better to solve it with actual accounts and tenancy, where you keep the...

You can but you need to do it yourself in your own repo today. To do so, open the existing repo here https://github.com/FlowiseAI/FlowiseChatEmbed Then clone it into your own repo....

My guess it's a lot of work to put this into the product since it'd have to introduce ability to theme somehow. If that's your goal, then better to just...

The PR I opened will disallow all HTTP calls from unauthorized domains via CORS headers which resolves the chatbot scenario. It also disallows iframe embedding since that was also 100%...

One difference is the PR is throwing an error instead of no reply at all which is suggested here as the result. Let me see if I can update it.

Added [089928a](https://github.com/FlowiseAI/Flowise/pull/1608/commits/089928aaa89766e99115e936f3704d3bae14a90d) to the PR to return no result at all only disallow the call to satisfy the requirement in this feature.

As a note, it would be difficult to implement this at the chatflow level it's likely too late. Preflight OPTIONS request will come beforehand even for basic requests including websocket...

Flowise does not issue CSP, CORS or other headers at all by default and the websocket is open to all (from what I've seen). You're better off using a reverse...

If you don't use a reverse proxy, then the feature I did in https://github.com/FlowiseAI/Flowise/pull/1608 should have solved this one. Suggest getting latest, edit the `.env` and set the new options...