Security Best Practices

Firewall Configuration for Descope

To enable seamless integration with Descope’s authentication and authorization services, your organization’s firewall Access Control List (ACL) must allow specific domains. This page outlines the necessary configurations to ensure smooth access to Descope services, supporting secure user authentication, API interactions, and asset loading.

Required Domains for Descope Access

You can override the serving of static assets from static.descope.com by setting the baseStaticUrl parameter in the Descope SDK configuration.

To use Descope’s services, allow the following domains in your firewall:

  • API Access: api.descope.com or your own Custom Domain if configured.

    • Purpose: Manages all API requests, including user authentication, session handling, and user management.
    • Protocol: HTTPS (port 443).

  • Static Assets: static.descope.com or your own domain if overriding with the baseStaticUrl described above.

    • Purpose: Hosts static assets, such as JavaScript files and stylesheets, required for Descope’s embedded UIs and widgets.
    • Protocol: HTTPS (port 443).

These domains must be accessible by your network to ensure the correct functioning of Descope’s services.

Firewall Configuration Recommendations

  1. Allow Only Secure HTTPS Access

    • Restrict access to HTTPS (port 443) to ensure secure communication.
    • Do not allow HTTP access to enforce secure-only connections.

  2. Domain-Based ACL Rules

    • Use domain-based rules (api.descope.com and static.descope.com) rather than IP-based rules due to Descope’s use of a global, dynamic CDN. This ensures that any IP changes do not disrupt connectivity.

  3. Monitoring and Logging

    • Regularly audit and log traffic to Descope domains to monitor for anomalies or unauthorized access attempts.
    • Track error logs for any 403 or 404 responses, as these may indicate firewall misconfigurations.

Security Best Practices

  • Limit Access to Necessary Services: Only permit access to api.descope.com and static.descope.com to minimize exposure.
  • Rate Limiting: Apply rate limits to protect your environment from potential abuse. Descope’s built-in rate limiting complements this but adding your own can enhance security.
  • Periodic Verification: Confirm accessibility to these domains regularly, especially during network updates or firewall policy changes.

Frequently Asked Questions (FAQs)

1. What if our firewall requires IP-based rules?
Descope leverages a CDN with dynamic IPs, so domain-based rules are recommended. If IP-based restrictions are mandatory, consider using DNS resolution with dynamic updating.

2. Do we need any other ports open?
Descope only requires HTTPS on port 443 for both API and static asset requests.

3. How can we check if an issue is firewall-related?
Run a DNS lookup or ping api.descope.com and static.descope.com from your network. Inaccessibility may indicate a firewall block.

For assistance with configurations or troubleshooting, please reach out to Descope Support or consult additional Descope documentation for further integration guidance.

Was this helpful?

Previous

Cross-Site Cookies

Next

Certificate Verify Mode (Go)

On this page

Firewall Configuration for DescopeRequired Domains for Descope AccessFirewall Configuration RecommendationsSecurity Best PracticesFrequently Asked Questions (FAQs)