Origin Security

The Origin Security feature in AppNavi enhances security by allowing you to restrict access to your application's resources, including APIs and data files, based on the originating domain (origin). It helps you control which external domains can communicate with your application, ensuring that only trusted domains have access.

This feature can be enabled or disabled at the app level, with default settings deactivating it. If enabled, a new tab for configuring origin security appears, allowing users to define up to 10 origins, including wildcard patterns.

Once enabled, only requests originating from these allowed domains can access the application’s resources and make API calls. This functionality is crucial for enforcing domain-level access control and ensuring that resources are accessed only from authorized endpoints.

Important: When adding an application pattern for Origin Security, ensure you include a wildcard at the beginning of the domain pattern, formatted like this: https://*.example.com*. This configuration will allow all subdomains of example.com to access your application’s resources. For instance, with this wildcard pattern, subdomains such as zero.example.com will be allowed and will display the avatar, while others, like hello.example.com, will also work due to the wildcard allowance.

However, if you need to restrict access to specific subdomains, you can enable Origin Security with a specific pattern, such as (zero.example.com), without using a wildcard. This way, only (zeroexample.com) will display the avatar, and all other subdomains (like hello.example.com) will be rejected. If you prefer to allow all subdomains, then include a wildcard in the pattern, such as https://*.example.com

Configuring Allowed Origins

Once Origin Security is enabled, you can define up to 10 allowed origins (external domains) that can access your application. The origins can include specific domains or wildcard patterns for broader control.

Key Features

Optional Feature: Origin-based security is optional and is disabled by default.
Wildcard Support: Supports wildcard domains (e.g., *.example.com).
Restrict Access: Controls both static resource access and API calls.
Seamless Integration: Works with or without tenant-level encryption.

Valid Patterns

HTTPS and Wildcard Subdomains: Patterns must start with http://, https://, or *. for wildcard subdomains.
Alphanumeric TLDs and Ports: Allows alphanumeric top-level domains (TLDs) and optional ports (e.g., https://example.com:8080).
No Trailing Slashes: Trailing slashes (/) at the end of the pattern are not allowed.

Examples of Valid and Invalid Patterns:

Pattern	Valid	Reason
https://example.com	✅ Yes	Fully qualified domain without trailing /
http://*.example.com	✅ Yes	Wildcard subdomain is allowed
*.example.com	✅ Yes	Wildcard subdomain without protocol
https://example.com:8080	✅ Yes	The custom port is allowed
https://.example.	✅ Yes	Wildcard TLD is allowed
http://example.\*	✅ Yes	Wildcard for TLD
http://example.com/	❌ No	Trailing slash not allowed
https://example	❌ No	Invalid domain format
*example.com	❌ No	Wildcards must be properly formatted

Example of Pattern Matching:

Pattern	Origin	Match
https://example.com	https://example.com	✅
*.example.com	https://sub.example.com	✅
*.example.com	https://example.com	❌
*.example.com	https://different.com	❌
.example.	https://sub.example.org	✅

Steps to Configure Origin Security

Log in to the appNavi Portal.
Navigate to the Manage Tenant section in the portal.
Click on the Application tab to view the list of applications.
Click on the + icon to create a new application or select an existing application for editing.
In the application settings, locate the Origin Security toggle button.
Enable the Origin Security toggle.
Once enabled, a new tab titled Origin Security will appear.
Click on the Origin Security tab.
In the Origin Security tab, you can add up to 10 URL patterns that define the allowed origins for the application.
After entering the allowed origins, save your changes.