Why this matters
Anyone who finds your widget's id can paste your embed snippet on their own site. Without an allowlist, the widget will load and conversations will count against your quota — even though those visitors aren't yours.
In practice this rarely happens by accident. But if someone scrapes your site or copies your code, the allowlist is the cheap defense.
How the allowlist works
Set one or more domains under Settings → Widget → Allowed origins. Format is plain domain — bright-smiles-dental.com. You can list multiple domains, one per line.
When a browser tries to load the widget, Salva checks the browser's Origin header against your list. If there's no match, the widget refuses to render.
Allowlist is empty or set to *. Widget loads anywhere your <script> tag is pasted — including third-party sites you don't control.
Domains to add
Always include:
- Your primary practice domain (e.g.,
bright-smiles-dental.com) - The
www.version if your site uses it - Any staging or preview domains you actively use
You don't need to include https:// or trailing slashes — just the bare domain.
What about subdomains?
Subdomains are not automatically included. If you run the widget on book.bright-smiles-dental.com as well as the root domain, add both explicitly. This is intentional — it prevents an unrelated subdomain (e.g., a vendor-hosted blog) from accidentally loading the widget.
Common gotchas
- Forgetting to add
www—bright-smiles-dental.comandwww.bright-smiles-dental.comare different origins. List both if your site serves on both. - Wildcards — only
*(match all) is supported.*.bright-smiles-dental.comisn't — add each subdomain explicitly. - HTTPS vs HTTP — the widget only runs over HTTPS for security reasons. Make sure your site is on HTTPS before going live.
For a broader look at security across the product (encryption, audit logs, subprocessors), see How Salva protects your data.
Published May 14, 2026