Disable/redirect/add noindex headers for .onrender.com URLs
planned
A
Adam Quaile
When custom domains are active, provide an option to do one of the following:
* Disable the onrender.com subdomain
* Redirect it to one of the custom domains.
* Keep the site as-is but add a
noindex
header to all responses from the onrender.com subdomain. Benefits:
* Security [1]
* SEO [2]
----
[1] When using a custom domain one of the benefits is that instead of having the DNS pointing to Render, you can point it to Cloudflare (for example) as a proxy.
This reduces load on the origin server and the {project}.onrender.com seems like a bit of a loose-end.
Could somebody DDoS this server, bypassing cloudflare's protection?
(Similar to https://render.canny.io/features/p/add-option-to-redirect-the-onrendercom-subdomain-to-the-primary-custom-domain-fo)
[2] Add
x-robots-tag: noindex
header to deploys without assigned custom domains. This would allow testing one's full Web site content on Render without needing to alter a repo's existing "robots.txt" file yet avoid risking the duplicate-content penalty from Google and other search vendors. Similar functionality is provided by Vercel (https://vercel.com/docs/v2/edge-network/headers?query=robot#inlinecode).Log In
p
philipp.faber
when will this be released? This is a must-have for moving away from aws.
D
David Geukers
Would love this
D
Daniel Meador
Frustrating to see something marked as "planned" 3 years ago. This does seem like a core item that is lacking
y
yaron levi
This is a huge hole for us security-wise.
Can't stress this enough.
When you pass your traffic via CloudFlare to audit, watch and block incoming routes, at the same time you are also open at the Render address which makes CloudFlare not relevant.
s
sys
It's mind boggling to me that this isn't available yet. Why do we have to try and convince you that it's insane to "just not publish it on the internet". Are we now supposed to set random project names, just so we can avoid being spammed by crawlers bruteforcing subdomains on *.onrender.com?
It's not a "convenience", it should be a given. We are spinning up servers and putting sites on the internet. How am I supposed to choose Render from the myriad of XaaS providers when we can't event control which domains can be used to reach our content?
Anurag Goel
Are there any use cases where you'd still need to index the subdomain if the custom domain is verified and active?
We can automatically disable indexing by adding the
X-Robots-Tag: noindex
header when you add and verify a custom domain.We will still need a way to permanently redirect the onrender.com domain to a custom domain.
T
T.J. Crowder
Anurag Goel: FWIW, I can't speak for anyone else, but I can't imagine wanting to have indexing on the
onrender.com
subdomain when I had a custom domain active.T
T.J. Crowder
Anurag Goel - My request is to disable the onrender.com site entirely, not just to make it non-indexable. This request appears to only be about indexing, which means my request is not covered by it. Please un-merge it, unless I've misunderstood the above.
Anurag Goel
T.J. Crowder: It's in the same category of
onrender.com
requests, which is why it was merged. The feature implementation will likely give customers a choice to disable, redirect or add no-index headers to the Render subdomain.T
T.J. Crowder
Anurag Goel: Thanks. As long as the implementation does that and doesn't just do what's described, that's great. But I worry about only what's described being done, meaning what I've requested is delayed until it's done and then I have to re-request it. Hopefully this comment thread will help, but it would be better if the description were changed to make it clear. Thanks.
Anurag Goel
T.J. Crowder: we're planning to create a 301 redirect for the Render subdomain, which will effectively disable it, since the redirect will be performed at the Render load balancing level and your servers won't see anything for the subdomain. Does that work?
T
T.J. Crowder
Anurag Goel: Thanks for checking in. It's better than nothing, but why can't the subdomain just
not exist
? Exactly as though you'd typed asldkfjaslkdfjaslk.onrender.com
(e.g., a project that doesn't exist)? A 301 leaks the internal name of my project to anyone who wants to query an A
record and do a GET
. Leaking internal implementation information really bothers me. It's like those old response headers telling hackers exactly what version of Apache you were using, letting them tailor their attacks. Please "just" (I know that word is problematic :-D ) make whatever creates the (project).onrender.com subdomain not create it. Thanks for listening. :-)b
brian
T.J. Crowder: if the onrender.com site does not exist how do you configure DNS so the custom domain hits the render service?
T
T.J. Crowder
brian: The subdomain isn't involved in that process (not even today). You create an
A
record for the custom domain, pointing to an IP address that routes to Render's servers (well, CloudFlare's, but on Render's behalf). The custom domain doesn't point to the subdomain with a CNAME
or anything like that.Anurag Goel
Merged in a post:
With custom domain, optionally disable onrender.com version
T
T.J. Crowder
Please make it possible to disable the projectname.onrender.com subdomain when you have a custom domain in place. Yes, you can mitigate this from an SEO perspective with rel="canonical" and you can sniff the
Host
header, etc., but it's unnecessary complication.This relates to https://feedback.render.com/features/p/domain-level-redirects, but is different.
TIA
C
Christian Stefanescu
I would also find this convenient.
R
Rinas Muhammed
I was trying to do this as well and learned that's not possible. Please include this feature.
Load More
→