Security & Sandboxing

Security & Sandboxing

The Supervised AI Bots plugin is designed with a security-first approach to ensure that integrating external AI chatbots does not compromise your WordPress site’s integrity or performance. The plugin utilizes standardized web isolation techniques to manage external content.

Iframe Isolation

The plugin renders chatbots within an HTML5 Iframe. This creates a sandboxed environment that provides several security benefits:

• Script Isolation: JavaScript running within the chatbot's iframe cannot access the parent WordPress site’s Document Object Model (DOM), cookies, or local storage. This prevents Cross-Site Scripting (XSS) attacks from originating within the chatbot interface.
• CSS Encapsulation: The styles defined in your WordPress theme and the chatbot’s styles are kept separate. This prevents the chatbot's code from "leaking" and breaking your site's layout.
• Origin Protection: Browsers enforce the Same-Origin Policy (SOP), ensuring that the external chatbot URL can only communicate with its own server, not your WordPress database.

Secure Connection Requirements

To maintain a secure environment for your visitors, the plugin enforces the following:

• SSL/HTTPS: We strongly recommend only using https:// URLs for your Supervised AI chatbots. Loading non-secure (http) URLs into a secure WordPress site will trigger "Mixed Content" warnings in browsers and may cause the chatbot to be blocked for security reasons.
• Data Encryption: All interactions between the visitor and the chatbot occur over the encrypted tunnel provided by the chatbot provider's URL, keeping conversation data private from third-party interception.

Administrative Security

Access to the chatbot configuration is restricted to users with administrative privileges.

• Configuration Validation: Only users capable of managing plugins can add or modify chatbot URLs in the WordPress dashboard.
• Shortcode Safety: The [supervised_ai_bot] shortcode only executes based on the IDs defined within the secure admin settings. It does not allow for the execution of arbitrary external scripts via shortcode attributes.

Best Practices for Site Owners

While the plugin provides a secure container for your bots, site owners should follow these guidelines:

1. Trusted Sources only: Only add URLs from trusted Supervised AI providers.
2. Regular Updates: Keep the plugin updated to the latest version to ensure you have the most recent security patches and UI optimizations.
3. Content Security Policy (CSP): For advanced users, we recommend adding the chatbot's domain to your site's frame-src Content Security Policy header to explicitly whitelist authorized chatbot origins.