Your super secret subdomain is not a super secret

You’ve started a new project right? Figure you want to show it off to a bunch of people. Sending preview links to friends and supporters?

The subdomain you’re using is not private information. The obvious - the people you send it to could just link it to anyone.

The less obvious is that there’s a log of SSL certificates issued. If you’ve set up HTTPS of any kind for the subdomain it’s now listed in the┬áCertificate Transparency log. I already knew this so I have no shame, these are all just subdomains I use for keeping track of which server things are on so no biggie. In your case though this might also reveal your origin IP address and all sorts. Subdomains are not private. Stop doing that.

Not a believer? Chuck your domain into Google’s Transparency Report site

Don’t just rely on hard to guess subdomains to hide your shiny new project. They’re public knowledge. Put some auth on it!

Fancy an email update instead of having to pop back here every time?

Heya! I’m Cohan and I make websites. I also administer Linux servers and do other nerdy good stuff like that.
My real love is writing though, this here’s my outlet for that.
A picture of me.