Your super secret subdomain is not a super secret

You’ve started a new project right? Figure you want to show it off to a bunch of people. Sending preview links to friends and supporters?

The subdomain you’re using is not private information. The obvious - the people you send it to could just link it to anyone.

The less obvious is that there’s a log of SSL certificates issued. If you’ve set up HTTPS of any kind for the subdomain it’s now listed in the┬áCertificate Transparency log. I already knew this so I have no shame, these are all just subdomains I use for keeping track of which server things are on so no biggie. In your case though this might also reveal your origin IP address and all sorts. Subdomains are not private. Stop doing that.

Not a believer? Chuck your domain into Google’s Transparency Report site

Don’t just rely on hard to guess subdomains to hide your shiny new project. They’re public knowledge. Put some auth on it!

Heya! I’m Cohan and I make PHP-based websites. I also administer Linux servers and do other nerdy stuff like that.
In my more creative moments I’m writing a comedy film. As ye do.
A picture of me.