Allowed domains

Allowed domains protect your videos from being embedded on third-party sites. The check runs at the edge — embeds rendered from a domain that isn't allowlisted are blocked before any video bytes leave the CDN.

Default behaviour

Out of the box, embeds work on any domain. This is convenient while you prototype, but you should lock the allowlist down before going to production.

Configure your allowlist

Open the Moviie dashboard, navigate to Settings → Embeds, and add the domains you control. Examples:

acme.com
*.acme.com
staging.acme.com
localhost:3000

Wildcards (*.acme.com) match any single subdomain level. Use a literal entry per environment when you need finer-grained control.

Local development

Add localhost, localhost:3000, or any custom port you use to your allowlist. The check runs against the referrer, not the IP address — so even on a tunneled URL (e.g. ngrok) you only need to add the public hostname.

What viewers see when an embed is blocked

A blocked embed renders an inline error frame inside the iframe with a short message:

This video can only be played on authorised domains.

The error frame inherits the brand colours configured for the player.

Diagnosing a block

If you believe an embed is being blocked incorrectly:

1. Confirm that the page sends a Referer header. Browsers strip the header on referrerpolicy="no-referrer" — the Moviie embed cannot verify the request without it.
2. Make sure the exact subdomain is in the allowlist. acme.com does not automatically allow www.acme.com.
3. Reload the page after updating the allowlist — the cached embed response is invalidated within a few seconds.

If the issue persists, contact support with the blocked URL and the referring page so the request can be traced.