Practical protections designed for embedded widgets on real customer websites.
Only approved domains can load a widget’s configuration, preventing widget-id misuse.
Critical dashboard actions require CSRF tokens, reducing cross-site request attacks.
Public endpoints apply a basic per-IP throttle to reduce abuse and unexpected AI costs.
Embedding is allowed for /embed while /app and /admin remain protected against clickjacking.
Your OpenAI key is never exposed to the browser; all calls happen from the server.
Conversations and messages are stored in MySQL so you can review, export, and improve.