
Avoid using subdomains for accounts in your saas app - tarr11
http://douglastarr.com/avoid-using-subdomains-for-your-saas-app
======
donalhunt
I think this misses a whole section on security.

e.g.
[https://security.stackexchange.com/questions/33851/protectin...](https://security.stackexchange.com/questions/33851/protecting-
against-cross-subdomain-cookie-attacks)

~~~
tarr11
That's a great link, I will add it in. Thanks.

~~~
donalhunt
I think you're kind of missing my point. This space is a lot more complicated
that the page indicates and the usual warning of "a little knowledge is a
dangerous thing..." applies.

Some additional context:

\- [https://security.googleblog.com/2012/08/content-hosting-
for-...](https://security.googleblog.com/2012/08/content-hosting-for-modern-
web.html)

\- [https://en.wikipedia.org/wiki/Same-
origin_policy](https://en.wikipedia.org/wiki/Same-origin_policy)

\- and other articles on CORS, XSS and CSRF, etc

~~~
tarr11
Is there some statement that I wrote that you believe is misleading or
incorrect?

I'm trying to warn people off of subdomains, rather than encourage it.

