Skip to content

Infrastructure

This page covers subdomain and DNS configuration and cookie security considerations for the embedded myFlowpay integration.

Infrastructure Requirements

myFlowpay relies on authentication session cookies to manage and secure user sessions within the embedded app. To ensure that these session cookies work correctly, it is essential to configure a dedicated subdomain that shares the same root domain as your host application. This setup allows the embedded myFlowpay application to reliably set and access its own authentication session cookies, guaranteeing seamless and secure user sessions for your users.

Subdomain Setup

You need to create a CNAME record for a subdomain on your root domain that points to the myFlowpay infrastructure. This subdomain must be within the same root domain as your main application.

The necessary DNS target details for your CNAME configuration will be shared with you during the Flowpay partner onboarding process.

Example: if your host application is hosted at https://app.example.com, configure a subdomain such as https://flowpay.example.com.

Why is this required?

Modern browsers enforce strict security policies around cookies set by embedded content (iframes). When the myFlowpay application is embedded as an iframe within your host application, it needs to set and access its own authentication cookies to maintain user sessions. Without a shared root domain, these cookies would be treated as third-party cookies.

Third-party cookie restrictions:

  • Major browsers (Safari, Firefox, Edge, and increasingly Chrome) block or severely restrict third-party cookies by default as part of privacy protection measures.
  • If myFlowpay were served from my.flowpay.io while embedded in your application at app.example.com, any cookies set by the iframe would be considered third-party and likely blocked.
  • This would cause authentication to fail, preventing sessions from persisting altogether.

The subdomain solution:

By hosting the embedded myFlowpay application on a subdomain of your root domain (e.g., flowpay.example.com), the cookies set by the embedded application become same-site cookies rather than cross-site (third-party) cookies. This allows the myFlowpay iframe to reliably set and access its own authentication cookies, ensuring consistent session management regardless of browser privacy settings.

The embedded myFlowpay application does not have access to your host application's cookies when you configure your cookies correctly. Browser security ensures that cookies are isolated based on their Domain attribute.

How cookie isolation works:

Assuming your host application runs on app.example.com and the embedded myFlowpay iframe runs on flowpay.example.com:

Cookie configuration Accessible to iframe? Status
No Domain attribute (host-only) No Safe
Domain=app.example.com No Safe
Domain=example.com (root domain) Yes Unsafe

Key points:

  • Host-only cookies (no Domain attribute) are the most secure — they are only accessible to the exact host that set them.
  • Domain cookies scoped to your subdomain (e.g., Domain=app.example.com) are safe because sibling subdomains like flowpay.example.com cannot access them.
  • Root domain cookies (e.g., Domain=example.com) are shared across ALL subdomains and would be accessible to the embedded iframe.

Recommended cookie configuration for your host application:

To ensure complete isolation of your application's cookies from the embedded myFlowpay iframe:

  1. Omit the Domain attribute entirely. When no Domain attribute is specified, browsers automatically scope the cookie to the exact host that set it (host-only cookie). This is the most restrictive and secure option.

  2. Use the __Host- cookie prefix. Cookies with this prefix must be set with Secure, must not have a Domain attribute, and Path must be /. This provides the strongest isolation guarantee: 

    Set-Cookie: __Host-session=abc123; Secure; Path=/; HttpOnly; SameSite=Lax

Note

Following these recommendations ensures that your host application's session cookies, authentication tokens, and other sensitive data remain completely inaccessible to the embedded myFlowpay iframe.

Configuration Steps:

  1. Choose a preferred subdomain for Flowpay embedded app (e.g., flowpay.yourdomain.com).
  2. Share your chosen subdomain with Flowpay so that our infrastructure can be prepared.
  3. Flowpay will provide you with all the necessary DNS target details for your records.
  4. Update your DNS records based on Flowpay's instructions and configure your host application to use the new subdomain instead of the default my.flowpay.io domain.

Important

The subdomain must be configured before starting your integration. Without this DNS and subdomain setup, authentication cookies will not work, and users will be unable to maintain authenticated sessions.