Re: [bitfolk] HSTS fun on bitfolk.com

Hi Jess, On Mon, Jul 01, 2019 at 10:39:23AM +0100, Jess Robinson wrote: TL;DR: Use example.vps.bitfolk.space. When I first started putting customers who did not have a domain of their own under vps.bitfolk.com, I only ever thought that this would be a short term arrangement for them. I didn't (and still don't) really understand how anyone who would use a VPS would exist without at least one domain name of their own. However, subsequent experience taught me that such people do exist, in quite a number. It is perhaps not that they don't HAVE a domain name, but that they do not wish to ADVERTISE any particular domain name. I still don't understand it, but I accept that people keep wanting to do this. Use of example.vps.bitfolk.com has a few different issues, such as (non-exhaustive list): - Makes you subject to BitFolk's HSTS policy as you pointed out - May in future make you subject to Content Security Policy: https://www.w3.org/TR/CSP3/ (bitfolk.com and panel.bitfolk.com have one but I don't think they enforce it on subdomains at present) - Cross-domain leaking of cookies from .bitfolk.com to sub-domains. - Impossible for the customer to add extra DNS records like CNAME, MX, AAAA, SRV, TXT or anything that might be generally useful in one's own domain. HSTS is the real killer so far, so in January we introduced the domain bitfolk.space and started putting customers who didn't have a preference into vps.bitfolk.space instead, copying over all existing records from under vps.bitfolk.com. We aren't going to enforce HSTS or anything like that on bitfolk.space. At some point we will deprecate vps.bitfolk.com. I still do not recommend long-term use of host names under vps.bitfolk.space. HSTS etc won't be removed from bitfolk.com. It was a bad idea to ever put customer stuff inside bitfolk.com. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting