Help Center Domain Allowlist

Domain Allowlist

5 minute read · Updated March 2026

The domain allowlist lets you control exactly which websites are authorised to use your Customer ID. Once configured, any site not on the list is completely ignored by the SDK.

Why it matters

Your Customer ID is embedded in the install snippet that lives in your site's HTML source — anyone can view it. Without an allowlist, someone could copy your snippet to their own site and:

The allowlist is your primary defence against snippet theft. We recommend registering your domain as soon as you install the snippet.

How enforcement works

Enforcement operates at two layers:

1. SDK client-side check (banner suppression)

When the SDK's async bundle loads, it fetches your config. The config includes your registered allowedDomains list. The SDK immediately compares window.location.hostname against that list. If the current hostname isn't registered:

The SDK becomes completely invisible — as if it were never installed.

2. Consent service server-side check (event rejection)

Even if someone modifies the SDK or bypasses the client-side check, the consent service validates the Origin header on every POST /v1/consent request. Requests from unregistered origins are rejected with 403 Forbidden — no consent records are created.

Enforcement activation

StateBehaviour
No domains registered All origins are allowed. The SDK functions normally everywhere. This is the initial state — use it to get your install in place before locking down.
One or more domains registered Only registered hostnames can use the SDK. All others become a no-op.
Add all your domains before registering the first one. The moment you add your first domain, enforcement activates. If you forget to add a staging domain first, your staging environment will stop working until you add it.

Registering domains

  1. 1

    Open the Admin UI and load your customer

    Go to cookie-banners-admin.onrender.com, sign in, then load your organisation.

  2. 2

    Click the Domains tab

  3. 3

    Enter each hostname and click Add Domain

    Enter bare hostnames only — no https://, no path, no trailing slash.

    example.com          ✓ correct
www.example.com      ✓ correct (if you use www)
staging.example.com  ✓ correct
https://example.com  ✗ include the protocol
example.com/path     ✗ no path
Wildcards are not supported. *.example.com does not match subdomains. Register each subdomain individually (e.g. www.example.com, app.example.com).

Cache propagation

After adding or removing a domain, the config cache is invalidated immediately. New SDK loads on your site will see the updated list within seconds. Visitors who loaded the SDK before your change will use the cached config until their page reloads.

Localhost & development

localhost and 127.0.0.1 are always exempt from the allowlist, even when enforcement is active. You never need to register them. This means you can develop and test locally regardless of your allowlist configuration.

Removing a domain

Click the Remove button next to a domain in the Domains tab. Removal takes effect immediately — the domain will be rejected on the next SDK load after the cache propagates (within seconds at the origin, within 5 minutes at the CDN edge).

Removing your last domain disables enforcement. If you remove all registered domains, the SDK will once again work from any origin. Re-add at least one domain if you want enforcement to remain active.