Domains to Whitelist - Fit My Vehicle

Required (widget will not function without these)
Required for fonts (widget will look degraded without these)
Optional (analytics, non-blocking)
WAF / Proxy considerations

Domain	Protocol	Purpose
`cdn.fitmyvehicle.com.au`	HTTPS (443)	Widget script + iframe SPA
`api.fitmyvehicle.com.au`	HTTPS (443)	API calls (from inside iframe)
`cloud.fitmyvehicle.com.au`	HTTPS + WSS (443)	Database queries (from inside iframe)

Domain	Protocol	Purpose
`use.typekit.net`	HTTPS (443)	Adobe Fonts CSS
`p.typekit.net`	HTTPS (443)	Adobe Fonts files
`fonts.googleapis.com`	HTTPS (443)	Google Fonts CSS
`fonts.gstatic.com`	HTTPS (443)	Google Fonts files

Font providers are loaded inside the iframe only — they never touch your page.

Optional (analytics, non-blocking)

Domain	Protocol	Purpose
`api.ipify.org`	HTTPS (443)	IP detection for analytics
`api64.ipify.org`	HTTPS (443)	IPv6 IP detection

All traffic is HTTPS. FMV does not use HTTP. All connections are encrypted. Your site must also be served over HTTPS.

WAF / Proxy considerations

Do not inspect/decrypt SSL on traffic to *.fitmyvehicle.com.au — this breaks JWT token validation
Do not strip custom headers — the API uses X-Public-Key, X-Quote-Token, and Idempotency-Key
Do not block postMessage — the iframe sends close events to the parent window
Max POST body: 64 KB (quote submissions) — ensure your WAF allows this

Button Attributes Content Security Policy

⌘I