Defining Your Urls (Gatsby & Netlify Example)

Posted on March 04, 2019

Securing Your Urls

I think one of the things that’s often forgotten about securing your app is limiting it’s URL surface area.

For example, if you visit the IP address of your server, does the app load? What about the staging URL?

If you’re on Apache, a quick htaccess conditionals with an enviroment variable will fix this issue. If you’re on Nginx, the same thing applies.

Stop Sign. As in, stop trying to hack my app

SEO Implications

I think even on marketing sites this is a relatively important thing. For example:

This site is built with Gatsby on Netlify. Netlify’s Redirect Rules are fairly straight forward. You have to put a _redirects file in the root of your published director.

I do this by putting a _redirects file in the root of my repo. And then changing my npm build script to look like this: gatsby build --prefix-paths && cp ./_redirects ./public.

Then, inside my _redirects file, I put this content:

http://priceless-ardinghelli-0ef69f.netlify.com/* https://tylerzey.com/:splat 301! https://priceless-ardinghelli-0ef69f.netlify.com/* https://tylerzey.com/:splat 301!

http://www.tylerzey.com/* https://tylerzey.com/:splat 301! https://www.tylerzey.com/* https://tylerzey.com/:splat 301!

http://tylerzey.com/* https://tylerzey.com/:splat 301!

It’s a small thing. But, limiting public access to one endpoint is a good practice to get into.

I’m a really big fan of Cloudflare as they provide a ton of security out of the box. However, I’d expect majority of their customer’s still have a non-cloudflare protected staging url, dev url, or ip-address that is publically available.

This essentially voids all security provided by them.