| ▲ | bri3d 20 hours ago | ||||||||||||||||||||||
Proxying from the "hot" domain (with user credentials) to a third party service is always going to be an awful idea. Why not just CNAME Mintlify to dev-docs.discord.com or something? This is also why an `app.` or even better `tenant.` subdomain is always a good idea; it limits the blast radius of mistakes like this. | |||||||||||||||||||||||
| ▲ | gkoberger 18 hours ago | parent | next [-] | ||||||||||||||||||||||
I run a product similar to Mintlify. We've made different product decisions than them. We don't support this, nor do we request access to codebases for Git sync. Both are security issues waiting to happen, no matter how much customers want them. The reason people want it, though, is for SEO: whether it's true or outdated voodoo, almost everyone believes having their documentation on a subdomain hurts the parent domain. Google says it's not true, SEO experts say it is. I wish Mintlify the best here – it's stressful to let customers down like this. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | odensc 18 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
Yep - this is the core issue that made the vulnerability so bad. And if you use a subdomain for a third-party service, make sure your main app auth cookies are scoped to host-only. Better yet, use a completely different domain like you would for user-generated content (e.g. discorddocs.com). | |||||||||||||||||||||||
| ▲ | pverheggen 20 hours ago | parent | prev [-] | ||||||||||||||||||||||
I think the reason companies do this for doc sites is so they can substitute your real credentials into code snippets with "YOUR_API_KEY". Seems like a poor tradeoff given the security downside. | |||||||||||||||||||||||