Embedding forms on your website or landing page should be seamless and secure—but what happens when someone copies your embed code and displays your form on a site you never approved? Suddenly, your data, leads, or even your reputation could be at risk.
That’s why StartBoard lets you take back control. With our domain authorization feature, you choose exactly which websites are allowed to display your forms—whether you embed them via iframe or JavaScript. If someone tries to use your form on an unauthorized domain, it simply won’t load. No data captured, no exposure, no surprises.
It’s simple: only trusted, pre-approved sites can display your forms. This protects you from data leaks, unauthorized lead capture, and keeps your workflows fully compliant. In this article, discover how StartBoard’s “domain whitelisting” works, why it matters for your business, and how to set it up in just a few clicks—so your forms are always as secure as your brand.
Why Embedding Control Matters
Leaving your forms open to any website isn’t just a technical oversight—it’s a real business risk. Without embed security and domain whitelisting, anyone could take your form’s code and publish it anywhere on the web. The consequences? Serious threats to both your data and your reputation.
Data leakage prevention is essential: if unauthorized sites display your forms, sensitive customer information could be harvested by third parties or even malicious actors. Worse, attackers could use your forms for phishing—tricking users into submitting their information in contexts you never intended.
Unauthorized lead capture is another real risk: competitors or fraudulent sites could collect the leads you paid to generate, diverting them away from your business.
By using domain-based protection, you ensure that only trusted, pre-approved websites can display your forms. This isn’t just about protecting data—it’s about upholding your brand’s integrity, maintaining user trust, and meeting strict compliance requirements like GDPR. Domain whitelisting acts as a powerful safeguard, giving you full control and total peace of mind every time you embed a form.
How Domain Authorization Works on StartBoard
With StartBoard, domain authorization puts you in control from the very first step. When you generate a new form, you explicitly define a list of allowed domains—for example, yourwebsite.com or app.clientdomain.com. These are the only domains permitted to display your form, whether you embed it via iframe or JavaScript.
How does it work in practice? Every time a user tries to load your form, StartBoard runs behind-the-scenes validation checks. If the request comes from an approved domain, the form loads instantly (green check). If someone copies your embed code to an unapproved or unknown site, strict embed restriction kicks in—the form simply won’t load, protecting your data and your users.
Even better, domain authorization is team-managed security. Multiple team members can update the allowed domain list, ensuring it always reflects your business needs, even as your web presence evolves.
Want step-by-step instructions?
Read our technical guide on configuring allowed domains for full details and best practices.
Step-by-Step: Adding & Managing Authorized Sites
Securing your forms on StartBoard is fast and team-friendly. Here’s how:
Step 1: Use the domain management interface
As a team admin, access the main security settings. Add or update your list of authorized websites—these are the only domains allowed to display any of your organization’s forms.
Step 2: Assign domains to specific forms
When creating or editing a form, go to “Authorized Domains” in the form settings. Select one or more domains from your approved list. You control exactly where each form appears, using simple checkboxes—no technical setup needed.
Step 3: Real-time enforcement
Hit “Save” and your settings are applied instantly. There’s no need to regenerate or update your embed code—your team’s access controls and domain restrictions take effect right away.
This collaborative, real-time approach to security means your whole team can respond quickly to new needs—granting or revoking site access for any form at any time.
What Happens If a Form is Embedded on an Unauthorized Site?
When someone tries to display your StartBoard form on a website that’s not explicitly authorized, content blocking is instantly enforced. Instead of your form, users will see either a blank space, a custom error message, or a clear security warning—depending on your chosen settings.
No matter what, no data is ever captured or transmitted from unauthorized domains. The form simply won’t load, and any attempted submissions are completely ignored. This strict unauthorized embed policy protects you from data scraping, accidental data leakage, and deliberate misuse.
By preventing unapproved sites from displaying or collecting information through your forms, you ensure robust data exfiltration prevention—keeping sensitive customer information and lead data secure at all times.
Best Practices for Form Security
Protecting your forms doesn’t end with domain authorization. Follow these best practices to maximize security and peace of mind:
- Regularly conduct security audits
Review your authorized domain list at scheduled intervals. Remove outdated or unused domains to minimize exposure. - Implement strict access controls
Limit who can edit domain settings and form permissions. Only trusted team members should have access to security-critical features. - Enable embed monitoring and alerting
Set up notifications for every new embed attempt—especially if it comes from an unrecognized domain. Prompt alerts allow you to respond quickly to any unauthorized activity. - Monitor access logs for anomalies
Regularly review form access logs for suspicious patterns, such as repeated failed loads or embed attempts from unusual locations.
By following these practices, you turn form security from a one-time setup into a continuous, team-managed process—ensuring your data and reputation are always protected.
