Only allow the widget to load on approved domains.
Protect dashboard actions (saving widgets, settings) from cross-site request forgery.
Throttle public message endpoints to reduce abuse and cost.
Avoid blocking embeds globally; instead scope iframe restrictions to /app and /admin.