Security
Staffify widgets use multiple layers of security to prevent unauthorized access and token abuse.
Session Tokens
When a visitor opens the widget, a single-use session token is generated with a 60-second TTL. The token is exchanged for a WebSocket connection and cannot be reused. This prevents token hijacking and replay attacks.
Domain Enforcement
If you've configured a domain whitelist, the server checks the Origin header during token exchange. Requests from non-whitelisted domains are rejected.
HTTPS Required
Widget connections require HTTPS in production. HTTP is only allowed for localhost during development.