Agent
Installation Configuration Upgrading Uninstallation Requirements Troubleshooting
Plugins
Overview Redis MySQL PostgreSQL MongoDB Nginx Apache PHP-FPM Memcached RabbitMQ Elasticsearch Meilisearch Varnish HAProxy Docker VictoriaMetrics
API
Overview Authentication Monitors (soon) Incidents (soon) Status Pages (soon) Errors (soon)
RUM & Replay
Overview Quickstart Session Replay Custom Events Error Tracking Troubleshooting
OTLP & Tracing
Overview Distributed Traces Structured Logs Custom Metrics Language SDKs Troubleshooting
Observability Apps
Overview Creating Apps Quota Management Domain Whitelist Top-Up Credits
Alert Manager
Overview Anomaly Detection Alert Channels Thresholds

Domain Whitelisting

Configure CORS for RUM apps to control which domains can send data.

Why Domain Whitelisting?

Security benefits:

  • Prevent unauthorized data submission
  • Block spam/fake sessions
  • Protect API quota
  • Ensure data integrity

Adding Domains

Dashboard β†’ Observability β†’ Apps β†’ [RUM App] β†’ Settings β†’ Domains

Exact Match

example.com
www.example.com
app.example.com

Wildcard Subdomains

*.example.com  # Matches: app.example.com, admin.example.com, etc.

Multiple Domains

Separate by newline or comma:

example.com
*.example.com
myapp.com
www.myapp.com

Development Environments

Localhost

localhost
localhost:3000
localhost:8080
127.0.0.1
127.0.0.1:3000

Preview Deployments

Vercel, Netlify preview URLs:

*.vercel.app
*.netlify.app
preview-*.example.com

CORS Configuration

RUM endpoint enforces CORS:

Preflight Request (OPTIONS)

Browser sends:

OPTIONS /v1/ingest HTTP/1.1
Origin: https://example.com
Access-Control-Request-Method: POST

StatusRadar responds:

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 86400

Actual Request (POST)

If domain allowed:

HTTP/1.1 202 Accepted
Access-Control-Allow-Origin: https://example.com

If domain blocked:

HTTP/1.1 403 Forbidden
{"error": "Domain not whitelisted"}

Troubleshooting

CORS Error in Console

Access to fetch at 'https://rum.statusradar.dev/v1/ingest' 
from origin 'https://mysite.com' has been blocked by CORS policy

Solution:

  1. Add mysite.com to domain whitelist
  2. Wait 1-2 minutes for cache to clear
  3. Hard refresh (Ctrl+Shift+R)

Subdomain Not Working

Problem: Added example.com but www.example.com blocked

Solution: Add both OR use wildcard:

example.com
*.example.com

Localhost Blocked

Solution: Add localhost variants:

localhost
localhost:3000
127.0.0.1:3000

Preview URLs Changing

For dynamic preview URLs (e.g., pr-123.vercel.app):

Solution: Use wildcard:

*.vercel.app
*.netlify.app

Security Best Practices

βœ… DO:

  • Only whitelist domains you control
  • Use wildcards sparingly
  • Remove unused domains
  • Monitor for unauthorized attempts

❌ DON'T:

  • Whitelist * (all domains)
  • Leave test domains in production
  • Share API keys publicly
  • Ignore CORS errors

Custom Domains (Pro Plan)

Use your own domain for RUM endpoint:

  1. Settings β†’ Custom Domain
  2. Add CNAME record:
    rum.yoursite.com β†’ rum.statusradar.dev
  3. Verify ownership
  4. Update SDK endpoint:
    rum.configure({
  endpoint: 'https://rum.yoursite.com/v1/ingest'
});

Benefits:

  • Bypass ad blockers (less likely to block)
  • Brand consistency
  • Custom SSL certificate

API Management

List Domains

curl -H "Authorization: Bearer $API_KEY" \
  https://statusradar.dev/api/observability/apps/{app_id}/domains

Add Domain

curl -X POST \
  -H "Authorization: Bearer $API_KEY" \
  -d '{"domain": "newsite.com"}' \
  https://statusradar.dev/api/observability/apps/{app_id}/domains

Remove Domain

curl -X DELETE \
  -H "Authorization: Bearer $API_KEY" \
  https://statusradar.dev/api/observability/apps/{app_id}/domains/{domain_id}

Next Steps

On this page