L7 firewall configuration

This guide contains some information that can be useful when needing to secure your implementation behind a L7 firewall. There are two subsets of the API that are generally used by internal vs external roles.

SDK APIs

Required endpoints

Here you can find the subset of the APIs that must be accessible to end user devices running our SDKs.

# Only a subset of the REST API is required for SDK use
/api/1/devices
/api/1/sessions

# And the WebSocket API.
# Firewalls must be configured to support WebSocket traffic on these routes 
/sockets/1/

Universal Cobrowse / PDF viewer

The following endpoints must be accessible when using Universal Cobrowse and/or PDF viewer.

/proxy/1/universal

Pinning the web SDK version

If you choose to pin the web SDK using the version that is shipped with your deployment, then you will also need to add that route.

Cobrowse AI

SDK APIs

The following endpoints must also be accessible from the end user devices when using Cobrowse AI.

MCP orchestrator

If using MCP this endpoint only needs to be accessible to your MCP orchestrator, not end user devices, so may not need to be public.

Agent-side APIs

Required endpoints

These are the APIs required by the agent dashboard, or embedded agent side UI.

As well as the routes above, the HTML frontend must also be accessible for agents. Paths include.

Important: The frontend is built as a static single page application, with an index.html entrypoint. Any route not included in the prefixes listed above should be considered a frontend route and resolve to /index.html.

Headers and Query Parameters

All headers, including custom headers, must be forwarded on the non-frontend routes. All query parameters must be forwarded on all routes.