1. Browser validation

• The browser checks that the RP ID is compatible with the current page origin.
• You cannot call WebAuthn on evil.com and pretend to be google.com.

2. Signed origin data

• The signed payload includes clientDataJSON.
• That data carries the full origin, such as https://example.com.
• Your server must verify it.

3. Fresh challenge

• Every ceremony uses a new random challenge.
• Replaying an old assertion should fail verification.
• The result is proof for this site, on this origin, right now.