Frontend code is hosted on frontend.netlify.app and
Backend code is hosted on backend.herokudns.app
Is there a way to map a single host name, www.myapp.com to both frontend.netlify.app and backend.herokudns.app?
I can't achieve this on Google Domains using CNAME record - it only allows me to map www.myapp.com to either frontend.netlify.app or backend.herokudns.app.
Motivation
To make AJAX requests from my frontend without getting CORS error. Without solving this problem, I have to map something like api.myapp.com to backend.herokudns.app which creates an additional step of side-stepping CORS error since AJAX requests will be to a different domain.
There is no way to map a domain to multiple other domain names, AFAIK. I believe this is largely to avoid a situation where one domain name maps to a bunch of other domain names, that all map to other domain names, thus resulting in a DNS amplification attack for each DNS query for the original domain name.
Related
I am currently trying to host a website as an experiment on Heroku, I deployed the back end which you can consider yyyy.herokuapp.com and the front end with you can consider xxxx.herokuapp.com,
Now, here's the issue, I need to set cookies between xxxx and yyyy, I know this will be a massive security issue but since this is an experimental website I am not willing to get a custom domain, I tried to set the cookies' domain to: herokuapp.com, .herokuapp.com, *.herokuapp.com, xxxx.herokuapp.com, yyyy.herokuapp.com.
Yet it doesn't work, chrome denies the cookies and gives this message:
This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host url.
So, how do I approach this issue without the need for a custom domain?
this is my configuration to set cookies (on the back end which uses flask)
response.set_cookie("example_cookie", value="cookie value",
max_age=900, expires=datetime.datetime.utcnow() +
datetime.timedelta(seconds=900), secure=True, domain=".herokuapp.com",
samesite='none')
If herokuapp.com were not a public suffix (a.k.a. an effective top-level domain or eTLD), then in the case of a cookie set by xxxx.herokuapp.com with Domain=herokuapp.com, browsers would send that cookie to yyyy.herokuapp.com
However, there is a snag: in order to isolate its different tenants, Heroku required herokuapp.com be added to the public-suffix list a while back. Most browsers refuse to set a cookie for a public suffix:
For security reasons, many user agents are configured to reject Domain attributes that correspond to “public suffixes”. For example, some user agents will reject Domain attributes of “com” or “co.uk”.
Therefore, attempts to set a cookie with Domain=herokuapp.com will be rejected by browsers, as you've experienced.
Note: adding a leading dot in the Domain attribute of the Set-Cookie HTTP header has no effect, at least in modern browsers.
To get out of this difficulty, you could simply buy a cheap domain name (say infinityvive.com) to serve both your frontend and backend from subdomains of it. Then you'd be able to use Domain=infinityvive.com because your domain would not be a public suffix.
I have CloudFront setup which is setup to serve various subdomains under my domain.
ex.
http://demo1.mydomain.com/test.html, and http://demo2.mydomain.com/index.html can be two requests which are served by the CloudFront.
Now the issue here is with CloudFront caching. It caches the content based on path ie. in the above examples ("/test.html" and "/index.html"). This creates a problem that if two subdomains having same path, content which will get cached for a given path in one subdomain and will also be served from cache (same path) in other subdomain. ex.
http://demo1.mydomain.com/example.html
http://demo2.mydomain.com/example.html
The second request here will serve the cached content of first one.
Can I configure CloudFront to include subdomain when caching? This way I can avoid same path conflicts across subdomain.
Thanks
I had the same challenge, and solved it using headers.
In details:
We are indicating our tenants by subdomain id:
<id>.domain.com
We wanted to store a different cached value for each tenant. For example:
123.domain.com/get-config and 456.domain.com/get-config need to return different cached values.
As a solution, since cloudfront doesn't supply an indication based on sub-domains, we based on headers.
In your case, you can pass a header named appName and give it values: demo1, demo2 etc.
Cloudfront will host different cache values based on that header.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-selecting
I'm implementing the Google Indexing API for some job posts, and I have it working in "production" (sending url's that are preceded with my public domain i.e. "jobs.myproduction.com") but I can't figure out how to test it in any QA or integration environment. The domains of the links wouldn't be my verified domain (the public one) but rather something like "box1.qa.myproduction.com" and those URLs aren't even publicly accessible.
In other APIs, we'd have test keys and a test endpoint, we'd deploy those values into configuration tables all the way up the line so that throughout testing we're hitting a test API endpoint with a test key and we can see it working while NOT publishing test data to a production system. But Google doesn't seem to have that. It's either do it in production with production values or get constant failures.
Right now, on my dev machine, I have "localhost" urls for my job postings, those get rejected from the API call for what looks like the fact that it's "localhost". If I change it to a dummy domain "jobs.mytest.com", I get a 403 FORBIDDEN, presumably because I'm not a validated owner of the "jobs.mytest.com" domain.
I CAN get a 200 out of google if I use a subdomain above my verified domain. So I have verified domain "jobs.myproduction.com", if I send the url as "https://test.jobs.myproduction.com/jobs/whateverId" I can get a 200 back. But:
I don't know where that's going (the domain isn't valid so I assume google won't list it)
I wouldn't put it above Google to somehow ding me for submitting bad URLs, and
This doesn't seem to be the right way to do this at all.
Does anyone have a suggestion on how to get around this? Am I missing something in the Google API dashboard for test accounts?
I'm using google recaptcha V2
Is there any way to set trust IPs - ips that will not require to check the "i'm not rebot" checkbox ?
If you are doing a client side validation of the trusted IPs it would break the whole point in having captcha since the function may be overridden.
If you are serving the form from your server and if it is server-side rendered, things may be easy and you could avoid using captcha by modifying the form appropriately in your server. The exact code may vary based on your stack.
If you want to implement this using some other REST service, you can employ multiple strategies. One could be to request a token from your service and based on the IP whitelist you generate and send a new token which can be used to replace the captcha in the front end. But in this case, you must do an extra validation to check if the token is valid and from the same IP as the one requested.
In any case, I am not sure if there is a straight forward mechanism that would give you the same level of security as a Captcha that sets trusted IPs without some server side magic.
Using Google Domains, I've set up a synthetic record to redirect foo.com -> www.foo.com. Just like in this example:
https://support.google.com/domains/answer/6346300?hl=en
However, it doesn't seem to work with https://foo.com.
How do I configure it so that the subdomain forward works with https as well?
To give it more context, I'm mapping my custom domain to a heroku app, so I've set up a CNAME record for www.foo.com, and would like https://foo.com to be mapped to https://www.foo.com
Before providing any input please confirm if you are using any pointing service?
If http://foo.com is working whereas https://foo.com is not then you may need any service like pointDNS or cloudflare.