Allowed origins
Restrict widget runtime config to the product and staging domains where Canonica should run.
Security and ops one-pager
The short version for founders, developers, and reviewers.
Canonica can be page-aware without collecting secrets. Use this one-page summary for install reviews, developer handoff, and buyer security checks.
Blocked routes
Hide the widget from auth, payment, admin, internal help, or other sensitive paths.
Safe page context
Send page, route, feature, workflow, role, plan, state, and entity hints. Do not send secrets or raw customer records.
Screenshot attachments
Screenshots are user-initiated upload or paste only. The widget does not automatically capture the host app screen or scrape the DOM.
Widget key handling
Canonica validates widget keys by hash and can copy recoverable widget keys only from encrypted server-side key material.
Owner approval
Drafts, generated answers, and mutation proposals do not become official support truth until reviewed.
Runtime rate limits
Public widget config, search, feedback, predictive, and API paths are bounded and validated before expensive work.
Tenant scope
Dashboard and runtime reads resolve Canonica workspace scope server-side; client context is never trusted as tenant identity.
Incident contact
Report security or data-handling concerns without sending secrets or full customer datasets in the first message.
What to send through context
Send stable labels that describe where the user is stuck: billing_invoices, onboarding_import, team_settings, plan name, role name, workflow name, or entity hints.
What not to send
Do not send passwords, auth tokens, card data, private customer records, raw database IDs, emails, phone numbers, unrelated personal information, or screenshots of screens that reveal secrets.
Need the full security detail?
The full security page covers hosted help, compiled context, scoped workspaces, ticket debugging context, and scheduler boundaries.