Enterprise IT Checklist for Template Loading

This checklist helps enterprise IT and security teams allow Uhuu templates to load reliably inside the Uhuu document editor.

It is especially useful for networks with strict firewalls, SSL inspection, content filtering, or security products that modify HTTP response headers.

How Uhuu Loads a Template

When a user creates or edits a document, Uhuu loads several pieces in the browser:

app.uhuu.io
 `- document editor
    |- embed.uhuu.io
    `- iframe
       `- deployed template host
          |- platform.uhuu.io
          |- api.uhuu.io
          |- editor-dialogs.uhuu.io
          |- gptstream.uhuu.io
          `- template assets and third-party domains

The document editor is loaded from Uhuu, with editor assets served from embed.uhuu.io. The deployed template is loaded in an iframe from the template's deployed URL. The template then loads the Uhuu SDK and any scripts, styles, fonts, images, maps, APIs, or other assets used by that template.

The editor and template communicate through browser postMessage. The editor validates the template origin, and the template must be allowed to render inside the Uhuu editor iframe.

Where to Find the Checklist in Uhuu

In Uhuu:

1. Open the workspace.
2. Open the template.
3. Go to Template Settings.
4. Find Domains Used By This Template near the headers and security settings.
5. Use Primary checklist for the core Uhuu allowlist.
6. Click Run Scan to detect additional template-specific domains.
7. Use Extended checklist for the full allowlist after scanning.

The checklist can be copied as plain domains, JSON, or a report that can be shared with an enterprise IT team.

Primary Domains

These domains are commonly required for Uhuu document editing and template loading:

Domain	Purpose
app.uhuu.io	Uhuu application and document editor
embed.uhuu.io	Uhuu document editor hosting
platform.uhuu.io	Uhuu SDK
api.uhuu.io	Uhuu API requests
editor-dialogs.uhuu.io	Uhuu editor dialogs
gptstream.uhuu.io	AI streaming features
Template host	The deployed template URL, for example a-cdn.uhuu.io, a template-specific *.uhuu.net host, or a customer-owned domain

The exact template host depends on the template's deployed URL. Use the in-app checklist for the final domain list.

Enterprise client templates are often hosted on a client-specific Uhuu subdomain such as [client-identifier]-templates.uhuu.net. Do not forget to verify the actual template host in the template settings and include that exact host in the IT allowlist.

Additional Domains

After Run Scan, Uhuu inspects the deployed template and linked source files to detect additional domains from:

• <script src="">
• <link href="">
• <img src="">
• CSS @import
• CSS url(...)
• CSS @font-face
• best-effort static URL literals in JavaScript, including fetch(...), axios(...), and common asset strings

Examples of additional domains include font providers, map providers, CDN domains, image storage, analytics tools, and third-party APIs.

Static detection is best effort. Domains constructed dynamically at runtime may not appear until the template actually executes in the browser.

IT Allowlist Requirements

Enterprise firewalls, proxies, secure web gateways, browser isolation tools, and SSL inspection systems should allow:

• HTTPS access to all primary domains.
• HTTPS access to all additional domains detected by the scan.
• JavaScript, CSS, image, font, media, and API requests required by the template.
• Browser iframe rendering of the deployed template inside the Uhuu editor.
• Browser postMessage communication between the Uhuu editor and the template iframe.

If the template uses AI, map dialogs, image dialogs, external APIs, custom fonts, or third-party JavaScript, those services may require additional allowlisting.

Required Header Behavior

The deployed template must be allowed to render in the Uhuu editor iframe.

Verify the template host

Do not forget to verify the actual enterprise template host before checking headers.

Example: https://example-templates.uhuu.net

Recommended template response headers:

Content-Security-Policy: frame-ancestors 'self' https://app.uhuu.io https://*.uhuu.io

Avoid these headers on template responses:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

X-Frame-Options: DENY and X-Frame-Options: SAMEORIGIN prevent the browser from rendering the template inside the Uhuu editor iframe.

Enterprise SSL inspection proxies must not inject X-Frame-Options or a conflicting Content-Security-Policy into responses from the template host or Uhuu domains.

Proxy Loading Mode

Some templates can be loaded through Uhuu's same-origin template proxy. This can help confirm whether a client network is blocking the normal template host or template assets.

In Uhuu, enable Template proxy loading in the template settings. After it is enabled, new documents created from that template load the deployed template through the Uhuu proxy.

Proxy loading is intended for auditing, diagnostics, and compatibility checks. It is not the recommended long-term production setup.

Important limitations:

• Proxy loading can degrade performance.
• Proxy loading may not cover every external service or dynamically generated runtime URL.
• Some template functionality can still be limited if the client network blocks required third-party services.
• Proxy access is authenticated, workspace-scoped, and blocked while the template setting is disabled.

Recommended production approach:

1. Use the primary and extended checklists.
2. Allowlist all required domains.
3. Ensure iframe headers are configured correctly.
4. Verify normal document creation without relying on proxy loading.

Troubleshooting Symptoms

Symptom	Likely Cause	What to Check
Template area stays blank	Iframe blocked	Check X-Frame-Options, frame-ancestors, proxy header injection, and template host allowlisting
Template health check appears	SDK or handshake failed	Check platform.uhuu.io, JavaScript blocking, and browser console errors
Styling or fonts are missing	Asset domain blocked	Run Scan and allowlist CSS, font, and CDN domains
Images are missing	Image host blocked or relative asset path unavailable	Check detected image/CDN domains and template asset paths
Dialogs or AI features fail	Feature-specific Uhuu domain blocked	Check editor-dialogs.uhuu.io, gptstream.uhuu.io, and any third-party APIs
Works with proxy but not normally	Client network blocks the normal host or headers	Use proxy result as evidence, then allowlist the normal domains and fix iframe headers

Shareable IT Request

You can copy and adapt this message for an enterprise IT team:

We need to allow Uhuu document templates to load inside the Uhuu document editor.

Please allow HTTPS access to the attached primary and extended domain checklist.

Please also ensure SSL inspection or proxy systems do not inject these headers on Uhuu or template responses:
- X-Frame-Options: DENY
- X-Frame-Options: SAMEORIGIN
- Content-Security-Policy values that block frame embedding by app.uhuu.io or *.uhuu.io

The template is loaded in a browser iframe by app.uhuu.io, with editor assets served from embed.uhuu.io. The Uhuu SDK loads from platform.uhuu.io, and template-specific assets may load from the additional domains detected by Uhuu's scan.

The recommended production setup is normal domain allowlisting and correct iframe headers. Uhuu proxy loading is available only as an auditing or compatibility mode and may reduce performance or provide limited functionality for external services.

Final Verification

After allowlisting is complete:

1. Open the template settings in Uhuu.
2. Run the scan again.
3. Confirm the primary and extended domain lists are known to IT.
4. Create a new document from the template normally.
5. Confirm the template loads, the Uhuu SDK handshake completes, assets load, dialogs work, and PDF generation still succeeds.

If normal loading fails but proxy loading works, the issue is usually in network allowlisting or injected security headers rather than the template code itself.