Add Security to Self-Hosted Communication Widgets

[pminumula]

The standard communication widget includes built-in security, but there’s no clear guidance for securing Option 3: Customized Widget and Chat Interface UI (Self-Hosted).

Is there documentation on encrypting and securing data between the self-hosted widget and the backend?
An API or settings to apply similar security protocols as in the standard widget.

[haomingli2020]

Hi @pminumula,

The Connect Hosted Comms Widget uses Json Web Token for security. Please refer to this doc for more details.
In general, you can build a backend service which can 1/ generate a JWT with a secret and 2/ validate a JWT against the secret. Then you can have your web application call this backend to generate and pass a JWT (with a short TTL) when starting a chat, and in your lambda function where you call the AmazonConnect StartChatContact API, you can validate the JWT before making the API call.
You can build other security layers like throttling within the API gateway layer. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html

Please let me know if you have other questions.