T
Typebot5mo ago
helloryz

Prevent unauthorized access via url

Hi all is there a way to prevent unauthorized access to a published typebot via the url (for self-hosted)? One method I can think of is to redirect the user if a certain prefilledVariable is empty. But I don't think this is 100% secure, is it?
6 Replies
Hall
Hall5mo ago
Someone will reply to you shortly. In the meantime, this might help:
Baptiste
Baptiste5mo ago
The bot is public by design. If you need to restrict where it can be executed, go to Settings, under the Security section you can specify the allowed origin there
helloryz
helloryzOP5mo ago
I see, understood. Thanks for your response. Yeah, allow origin helps but it does not restrict someone from directly accessing it via the typebot viewer URL (using apiHost and typebot ID) if I understand correctly. I guess the best way for now is to do it directly in the build-app itself through a token variable, passing it to prefilledVariables and do some check.
helloryz
helloryzOP5mo ago
Found an issue for this: https://github.com/baptisteArno/typebot.io/issues/1812
GitHub
Prevent bots from accessing via direct URLs. · Issue #1812 · baptis...
Is your feature request related to a problem? Please describe. When we configure Allowed Origins with our specified domains, it restricts access for other domains. However, if the bot can be access...
Anthony
Anthony5mo ago
One way to make it more difficult for someone to copy the Typebot ID and access it via the Typebot viewer URL would be to obfuscate the ID with recursive multiple-arguments self-calling functions, so that the "end" ID wouldn't appear directly in the script tag. Another way I can think of and that requires you to have full control over your website (frontend and backend) could be to call a server-side function (or a similar server-side solution) as the value of typebot in: 
Typebot.initStandard({ typebot: "TYPEBOT_ID" });
Typebot.initStandard({ typebot: "TYPEBOT_ID" });
I am not entirely sure the expected behavior would happen with the specific way I mentioned it, but I suspect a potential solution with server-side rendering. Maybe even an extra Custom HTML Element on top of <typebot-standard>, with a server-side function call to retrieve the Typebot ID without exposing it in the final parent Custom HTML Element? It could break the Typebot displayed to the user, but if it works, I suppose it's worth the try. I'm still learning, so I'm curious to know if any of my suggestions doesn't make sense from a technical point of view.
Baptiste
Baptiste5mo ago
Yes I'd like to prevent it to work from typebot public URL if Allowed origins isn't empty

Did you find this page helpful?