Advanced Security

Advanced Security protects your widget from unauthorized use and traffic spikes, especially when your script is public on a production site. AskVio combines multiple controls that can be enabled together.

1) Domain allowlisting (origin checks)

When allowlisting is enabled, AskVio checks the request origin and only accepts calls from approved domains. This prevents unknown sites from embedding your widget and sending traffic under your account.

• Use exact origins you control (for example, production + staging).
• If a request comes from a non-allowlisted origin, it is rejected.
• Best practice: keep staging/test domains in the list only while actively used.

2) Widget initialization token

AskVio can issue short-lived initialization tokens for the widget. Each token is tied to your client and can include the request origin. The Search endpoint then validates that token before processing queries.

• TTL: token lifetime is configurable and clamped to a safe range (short-lived by design).
• Binding: token is validated against your workspace and request origin.
• Result: copied scripts or replayed calls become much harder to abuse.

3) Layered rate limits

Rate limiting is applied across three dimensions so one noisy source does not degrade service for everyone:

• Per IP / minute to limit single-source bursts.
• Per client / minute to protect overall account capacity.
• Per client+origin / minute to isolate spikes from one host/origin.

4) Abuse detection and temporary blocking

When repeated limit violations are detected, AskVio can temporarily block traffic by IP, client, and client+origin for a configurable duration. This keeps abusive traffic from continuously retrying and consuming resources.

Recommended setup

1. Enable domain allowlisting first.
2. Turn on widget init tokens for public websites.
3. Start with conservative rate limits and tune after observing real traffic.
4. Keep abuse blocking enabled in production.