What are the trusted Whatfix domains to whitelist?
- 09 Mar 2023
- 1 Minute To Read
-
Print
-
DarkLight
-
PDF
What are the trusted Whatfix domains to whitelist?
- Updated On 09 Mar 2023
- 1 Minute To Read
-
Print
-
DarkLight
-
PDF
If your organization uses a firewall to restrict network access to only specific websites or software, then you need to whitelist the following domains to ensure that your app can communicate with Whatfix and fetch content for your end users to view.
Also, if your organization has a Content Security Policy (CSP) in place to block external code insertions, then it could prevent Whatfix from working on your app.
To prevent this from happening and to resolve CSP violation errors, the following domains must be added as an exception (Whitelisted) as part of the application's CSP headers. For more information, see Content Security Policy Reference.
Domains to Whitelist:
For all users (excluding EU data center users):
https://whatfix.com
https://cdn.whatfix.com
Info:
The following domains also need to be whitelisted if you have configured Google Analytics for your account.
- https://www.google-analytics.com
- https://analytics.google.com
CSP directives to whitelist
Note:
- Depending on the deployment model, you need to whitelist only the necessary directives.
- Whitelist Google Analytics (GA) domains only if you have it configured for your account.
| Deployment Model | CSP Directives | Domain/value |
| Export (Content on the same server) | connect-src | *whatfix.com |
| www.google-analytics.com | ||
analytics.google.com | ||
| style-src | unsafe-inline | |
| img-src | data: | |
| www.google-analytics.com | ||
| analytics.google.com | ||
| Export (Content fetched from a different domain server) | connect-src | *whatfix.com |
| www.google-analytics.com | ||
| analytics.google.com | ||
| script-src | *.<domain>, <domain> | |
| frame-src | ||
| style-src | unsafe-inline | |
| img-src | data: | |
| www.google-analytics.com | ||
| analytics.google.com | ||
| CDN | connect-src | *whatfix.com |
| *.whatfix.com | ||
| www.google-analytics.com | ||
| analytics.google.com | ||
| script-src | *.whatfix.com | |
| frame-src | ||
| style-src | unsafe-inline | |
| img-src | www.google-analytics.com | |
| analytics.google.com | ||
| data: | ||
| Extension | connect-src | www.google-analytics.com |
| analytics.google.com | ||
| img-src | data: | |
| www.google-analytics.com | ||
| analytics.google.com | ||
| Dev script | connect-src | *.whatfix.com |
| *whatfix.com | ||
| www.google-analytics.com | ||
| analytics.google.com | ||
| img-src | data: | |
| www.google-analytics.com | ||
| analytics.google.com | ||
| script-src | *.whatfix.com *whatfix.com | |
| frame-src | ||
For EU data center users:
- https://eu.whatfix.com/
- https://eucdn.whatfix.com/
CSP directives to whitelist for EU Data Centers
| Deployment Model | CSP Directives | Domain/value |
| CDN | connect-src | *whatfix.com |
| *.whatfix.com | ||
| script-src | *.whatfix.com | |
| frame-src | ||
Dev script | connect-src | *.whatfix.com *whatfix.com |
| script-src | ||
| frame-src | ||
Note
- Your IT Admin can help in whitelisting the domains mentioned above.
- If you are using any video or image links in your Whatfix content, then you need to whitelist those domains as well. For example, if you embed a YouTube video in a vivid Pop-up, then you need to whitelist youtube.com.
When do domains need whitelisting?
Whatfix recommends whitelisting the domains as soon as you start creating content on Whatfix. This way, content creators will not have any issues previewing and testing the content.
IP addresses to Whitelist
| IPv4 | IPv6 |
173.245.48.0/20 | 2400:cb00::/32 |
103.21.244.0/22 | 2606:4700::/32 |
103.22.200.0/22 | 2803:f800::/32 |
103.31.4.0/22 | 2405:b500::/32 |
141.101.64.0/18 | 2405:8100::/32 |
108.162.192.0/18 | 2a06:98c0::/29 |
190.93.240.0/20 | 2c0f:f248::/32 |
188.114.96.0/20 | |
197.234.240.0/22 | |
198.41.128.0/17 | |
162.158.0.0/15 | |
172.64.0.0/13 | |
131.0.72.0/22 | |
| 104.24.0.0/13 | |
| 104.24.0.0/14 |
Note
IP addresses are the same for all users.
Best Practices
Make sure you have applied the policy to every page. This must include error pages as well.
Was this article helpful?