Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Why do most platforms have the same host pattern?
3 points by thesurlydev on April 14, 2023 | hide | past | favorite | 4 comments
A lot of platforms like fly.io, Heroku, vercel, etc. have more or less the same simple host pattern. The pattern seems to be:

  {random-string}{domain}
Some reasons are obvious like:

1. Using the same subdomain allows for a single wildcard cert 2. The random string label probably helps to avoid collisions, protect privacy, security, etc.

What other reasons would this common pattern be used?



I work at Aptible, another PaaS that follows the same host pattern you describe for providing one-off addresses when someone doesn't want to bring their own domain. The reasons you stated are both valid, along with the fact that a single domain means we don't need to _register_ new domains for every customer app.

Another note: we use `on-aptible.com` for our hosted app domains, separate from `aptible.com` for an important security reason: it is a second line of defense in avoiding cookie/CORS attacks (the first line of defense being setting cookies we control in a single subdomain and avoiding wildcards for CORS).

A related important measure for a PaaS using a single domain for subdomains owned by different accounts is to register that domain on the Public Suffix List [0], which prevents "supercookies" being set across these separately-owned subdomains.

[0] https://publicsuffix.org/


What other reasons would this common pattern be used?

Laziness. Some of the higher-end platforms create customer specific sub-domains and use sub-domain wildcards once that customer is in a particular revenue bracket.

The pattern you mention has gotten many AWS and related platform customers into trouble from sub-domain take-over as humans are good at creating things and quite bad at de-provisioning things despite automation. There are some bug-bounty folks that spend their entire time looking for sub-domain take-over opportunities and I hear it can be quite lucrative.


Domain takeover is only possible if the subdomain is user-specifiable, like with AWS S3.

As long as subdomain is random and never reused (pretty simple to do if you incorporate some sort of timestamp in the name generation algorithm) then the takeover is impossible. This is another good reason to generate random subdomain part.


From the top of my head, using the same domain means cookies can be shared across a domain if you set them to be able to do that but you can't do that across multiple domains




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: