We've added support of specifying web origins from which flespi tokens are allowed to be used.
Note: allowed origins validation works only for the requests performed in the web browsers. Requests sent from backend applications aren't affected by this validation.
You can set allowed origins in token origins field via API:
or in Allowed origins field via flespi panel:
Wildcard characters * and ? are supported in custom origins. Asterisk * matches to the interdomain dot-character . as well.
It is strongly recommended always to allow access to the flespi origins for your tokens unless you want to block access to the flespi panel and all the flespi public projects. In order to allow flespi origins you need to add
{"preset":"flespi"} object as one of the origins via API or select all flespi origins via flespi panel (see the screenshots above).