By default, your Helpdesky widget, contact form, and ticket center load on any website where you paste the embed code. The Allowed Embed Domains setting lets you lock that down, so your embeds only work on domains you approve. This is useful when you want to stop other sites from loading your support tools or showing your knowledge base content.
This guide explains what the feature does, how to configure it, and what a blocked embed looks like.
What Allowed Embed Domains Does
When you add one or more domains to the allow list, Helpdesky checks the origin of every request your embeds make. If a request comes from a domain that is not on the list, Helpdesky rejects it. If the list is empty, every domain is allowed, which is the default behavior.
The setting covers all three messaging embeds:
- The widget (the floating help button)
- The contact form
- The ticket center
It also controls which sites can place your help center pages inside an iframe.
Where to Find the Setting
Open your Helpdesky dashboard and go to Settings, then open the Messages tab. Scroll down to the Allowed Embed Domains card. The on screen description reads: "Restrict which websites can embed your widget, contact form, and ticket center. Subdomains are automatically included. Leave empty to allow embedding from any domain."
How to Add a Domain
Type a domain into the input field, for example example.com, then press Enter or click the add button. The domain appears as a tag below the field, and the change saves right away.
You do not need to include https:// or a path. If you paste a full URL, Helpdesky cleans it for you and keeps just the domain. Add as many domains as you need, one at a time.
How to Remove a Domain
Each saved domain shows as a tag with a small X next to it. Click the X to remove that domain. The change saves immediately, and that domain can no longer load your embeds.
Subdomains Are Included Automatically
When you add a domain, every subdomain is covered too. For example, adding example.com also allows:
app.example.comsupport.example.comhelp.example.com
You do not need to list each subdomain separately. Add the root domain and all of its subdomains are approved.
Leaving the List Empty Allows Everything
If you remove every domain and leave the list empty, your embeds load on any website. This is the default, and it is the right choice when you want maximum reach or when you embed on many sites you do not control. Only add domains when you specifically want to restrict where your embeds appear.
What a Blocked Embed Looks Like
When a domain is not on your allow list, the embed cannot load its data. Here is what you will see:
- The widget, contact form, or ticket center fails to load or appears empty.
- The browser developer console shows a blocked request with a 403 status and a message like "Origin not allowed".
- Help center pages loaded inside an iframe are blocked from framing on disallowed domains.
This is expected. It means the protection is working and an unapproved site cannot use your embeds.
Troubleshooting
My embed stopped working after I added a domain. Make sure the domain you added exactly matches the site where the embed runs. Check the address bar of the live site and add that domain. Remember that subdomains are already covered, so you only need the root domain.
I added the domain but still see a 403. Confirm you entered the domain without https:// and without a trailing path. The input cleans these for you, but double check that the saved tag shows only the domain, for example example.com.
I want to allow every site again. Remove all domains from the list. An empty list allows embedding from any domain.
Next Steps
Once your domains are set, revisit the relevant setup guides to confirm everything still loads correctly:
- Adding the Widget to Your Site
- Widget Messaging Setup Guide
- Contact Form Setup Guide
- Ticket Center Setup Guide
- Messaging Channels Overview
If you embed on a domain you control, add it to the list and test the embed to make sure it loads as expected.