Skip to main content

Security Considerations

Referrer-Policy

Handshakes Graph Widget requires at least one of the HTTP headers - Origin or Referer, to be present in all API request made for the request to be accepted.

If both headers are not present, the request will be rejected. Hosting sites are to ensure at least one of the headers are sent in all API requests made by the widget.

If you have configured a Referrer-Policy for your site, it is important to modify this directive to the following value to ensure the referrer header is sent for cross-origin request:

Referrer-Policy: strict-origin-when-cross-origin

Content-Security-Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement, to malware distribution.

If you have configured a CSP policy for your site, it is important to modify your CSP directive to whitelist Handshakes domain as HTTP requests are made from your site to Handshakes by the widget.

Whitelisting our domain should look like in the following example:

Content-Security-Policy: connect-src 'self' https://widget.handshakes.ai https://api.handshakes.ai;  img-src 'self' https://widget.handshakes.ai; font-src 'self' https://widget.handshakes.ai;