Allowlist domains

1 minute readSecurity

This section lists the URLs that are used by the SDK to properly communicate with our outbound backend servers.

The following URLs are used by the SDK:

  • https://statestore.rollout.io/ - GET request to verify the state of new feature flags and customer properties.

  • https://conf.rollout.io/ - GET request to retrieve the latest configuration.

  • https://x-api.rollout.io/ - GET/POST request send to CloudBees Feature Management servers to indicate a new version is running, or a new state is discovered.

  • https://analytic.rollout.io/ - POST request to CloudBees Feature Management analytics servers, to see impressions on the dashboard.

  • https://push.rollout.io/ - Server Sent Events that get notifications upon a change in the configuration. No special firewall rules are required.

The following third-party URL is used by the SDK:

  • https://notify.bugsnag.com/ - POST request to Bugsnag tool. SDK error monitoring and reporting tool.

Content Security Policy (CSP)

If you are using Content Security Policy (CSP) to protect your application and users, then you will need to update your CSP configuration to allow your application to communicate with the CloudBees Feature Management servers.

Only browser-based SDKs require these settings.

Add the following URLs to your connect-src CSP settings.

  connect-src ...
    https://analytic.rollout.io
    https://conf.rollout.io
    https://push.rollout.io
    https://statestore.rollout.io
    https://x-api.rollout.io
    https://notify.bugsnag.com;
 ....