Skip to content

Subdomain Pages Bypass #456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kecoliva opened this issue May 17, 2025 · 0 comments
Open

Subdomain Pages Bypass #456

kecoliva opened this issue May 17, 2025 · 0 comments

Comments

@kecoliva
Copy link

kecoliva commented May 17, 2025
edited
Loading

This sample allows subdomains to be accessed from the root domain:

https://hello.vercel.pub could be accessed by going to https://vercel.pub/s/hello

Adding in

// Block access to the subdomain pages from the root domain
if (pathname.startsWith('/s/')) {
  return NextResponse.rewrite(new URL('/404', request.url))
}

would fix it.

middleware.ts

export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;
  const subdomain = extractSubdomain(request);

  if (subdomain) {
    // Block access to admin page from subdomains
    if (pathname.startsWith('/admin')) {
      return NextResponse.redirect(new URL('/', request.url));
    }

    // For the root path on a subdomain, rewrite to the subdomain page
    if (pathname === '/') {
      return NextResponse.rewrite(new URL(`/s/${subdomain}`, request.url));
    }
  }

  // Block access to the subdomain pages from the root domain
  if (pathname.startsWith('/s/')) {
    return NextResponse.rewrite(new URL('/404', request.url))
  }

  // On the root domain, allow normal access
  return NextResponse.next();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kecoliva