Creating Secure Embeds


Embeds to be deprecated August 2023

It is now recommended to use the Web SDK to embed apps (CXR 18.1+) into other sites as Airkit embeds are no longer supported.

Best practice often requires applying restrictive security when incorporating embeds into Websites. This is particularly important when working in enterprise environments with established security policies. In this doc, we discuss how to embed Airkit apps so that they comply with whatever security practices are in place.

Configuring Secure Airkit Embeds

When creating an Airkit Embed, it comes out of the box with two script tags: one that loads the embed, and a bare script tag that creates the client. The following example shows how they might appear:

        <script src=""></script>

If copy and pasted into a Website directly, the latter tag can count as an unsafe inline script. To subject it to established security policies, the script tag will need to be placed inside a separate JS file that is referenced within the Website.

In order to incorporate this file, you must also modify your Content-Security-Policy header to allow as well as the URL that hosts your app. This is done by:

  • Adding to the script-src directive
  • Adding the URL that hosts the Airkit app to the default-src and connect-src directives