Security is at the core of our culture and we have operated from a security-first mentality from day one.
Persona's security philosophy follows three principles:
- Building defense-in-depth against external threats
- Protecting against human error
- Guarding against misuse of insider access
If you are calling our external API with static IP addresses and want an additional layer of security beyond API key based authorization, you can restrict the IPs that Persona accepts requests from. To whitelist IP addresses, visit the Development page within the Persona dashboard.
The full list of IP addresses that webhook notifications may come from is:
220.127.116.11 18.104.22.168 22.214.171.124
The Embedded Flow boots an iframe that loads Persona. If you'd like to restrict the allowed domains that are allowed to boot the Embedded Flow, you can configure allowed domains in the Development page within the Persona dashboard.
Updated 19 days ago