from Hacker News

Ask HN: Why do most platforms have the same host pattern?

by digitalsanctum on 4/14/23, 3:33 PM with 4 comments

  {random-string}{domain}

• by fancyremarker on 4/14/23, 4:01 PM

  I work at Aptible, another PaaS that follows the same host pattern you describe for providing one-off addresses when someone doesn't want to bring their own domain. The reasons you stated are both valid, along with the fact that a single domain means we don't need to _register_ new domains for every customer app.

  Another note: we use `on-aptible.com` for our hosted app domains, separate from `aptible.com` for an important security reason: it is a second line of defense in avoiding cookie/CORS attacks (the first line of defense being setting cookies we control in a single subdomain and avoiding wildcards for CORS).

  A related important measure for a PaaS using a single domain for subdomains owned by different accounts is to register that domain on the Public Suffix List [0], which prevents "supercookies" being set across these separately-owned subdomains.

  [0] https://publicsuffix.org/

• by LinuxBender on 4/14/23, 3:46 PM

  What other reasons would this common pattern be used?

  Laziness. Some of the higher-end platforms create customer specific sub-domains and use sub-domain wildcards once that customer is in a particular revenue bracket.

  The pattern you mention has gotten many AWS and related platform customers into trouble from sub-domain take-over as humans are good at creating things and quite bad at de-provisioning things despite automation. There are some bug-bounty folks that spend their entire time looking for sub-domain take-over opportunities and I hear it can be quite lucrative.

• by relacxt on 4/14/23, 3:37 PM

  From the top of my head, using the same domain means cookies can be shared across a domain if you set them to be able to do that but you can't do that across multiple domains