Allowed Domains

Restrict which domains can submit to your form endpoint. Submissions from unauthorized domains are rejected with a 403 error.

How it works

When allowedDomains is set, FormFast checks the Origin or Referer header of incoming requests against your allowed list. Subdomains are matched automatically — allowing example.com also allows www.example.com and blog.example.com.

Configuration

Set allowed domains as a comma-separated list in your form settings:

JSON

{
  "allowedDomains": "example.com, mysite.org"
}

Remove restrictions

Set allowedDomains to null to accept submissions from any domain:

JSON

{
  "allowedDomains": null
}

Testing locally

If you have domain restrictions enabled and need to test locally, add localhost to your allowed domains list.

PreviousAuto-Replies NextValidation Rules