Ability to hide, remove, or disable the *.replit.app deployment URL when domain link is added

Describe your feature request

Deployments are a great way to easily publish web apps or websites with great uptime and security.
We can choose a name for the .replit.app subdomain where our web app will be accessible. But that means that someone can easily access it if he has the link or if he tests random *.replit.app urls.

As deployments can easily be linked to other domains, I think that would be nice, when the owner has added a domain link, to allow the owner to hide or remove or disable the original *.replit.app access.

What problem(s) would this feature solve?

When a deployment is published, the owner could link his own domain and only provide and allow the domain link url to public and be sure that no one could ever enter the app with the *replit.app domain. For security purpose mostly

4 Likes

I can kind of see your point but also isn’t the point of a website for people to find it? You can make a private Repl with a login page on your website and then nobody’s going to get your secrets. Can you please elaborate on why this would be helpful?

2 Likes

Well, of course when we create a website, we want people to come and watch it.

But if I have a company and I make my website on Repl, and make a domain link to www.mycompany.com, I don’t want people to be able to find that it is also accessible at : mycompany-fvillemin.replit.app

It is not a big issue but I feel, as long as we have defined a custom domain link, we could choose to hide or disable the basic replit.app domain

2 Likes

That makes sense. It would seem a little less professional for a big company to use a .replit.app domain, even if it is an alternate. Of course, that would mean that if the primary domain went down you could still use the alt.

1 Like

You can always have your deployed app block access if you use the Replit URL.

1 Like

Very good idea thanks
But how do you do that ?
The flask request.url return a long and strange URL. Not the good one used by the browser

2 Likes

Try using the Host header from the request. It shouldn’t be spoofable because of Replit’s proxy.

1 Like

No, sorry, the host in the headers is the same and still a long list of ids
I don’t see anything in the headers that could say that i’m on the replit.app instead of my domain link.

1 Like