Enable communication with Mosaic APIs
For successful integration, make sure your environment doesn't disrupt the communication with Mosaic's resources:
- Allow URLs and IP addresses
- Update the Content Security Policy (if it's already deployed)
Allow URLs and IP addresses
Before deploying the application to production, configure your firewall or other networking devices to allow Mosaic's domains and IP addresses.
Allow the following domains:
-
*.transmitsecurity.io
-
*.riskid.security
-
*.identity.security
Also, contact your account manager for a list of production IP addresses and allow them all on your network.
Configure the Content Security Policy
Content Security Policy (CSP) helps prevent and mitigate certain type of attacks (XSS, injections...) through input sanitation and other measures.
If you have a deployed CSP in your application, you'll need to authorize the scripts and apply the policy to connections from AJAX and WebSocket.
To authorize the scripts and the connections, add the following directives to the Content-Security-Policy
header:
script-src: <existing-content> https://cdn.riskid.security/sdk/web_sdk_latest.js
connect-src: <existing-content> https://api.transmitsecurity.io/risk-collect/ https://api.transmitsecurity.io/ https://api.eu.transmitsecurity.io
Example implementation for Node.js:
var http = require('http');
http.createServer(function (req, res) {
res.setHeader(
"Content-Security-Policy",
"script-src 'self' 'https://cdn.riskid.security/sdk/web_sdk_latest.js'; connect-src 'self' 'https://api.transmitsecurity.io/risk-collect/' 'https://api.transmitsecurity.io' 'https://api.eu.transmitsecurity.io'"
);
// Do the rest: serve the content...
}).listen(1234);
For additional information, see Content Security Policy (MDN) and the documentation for your programming language or framework.