Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discourage use of @web in base URL #3559

Closed
putyourlightson opened this issue Dec 14, 2018 · 5 comments
Closed

Discourage use of @web in base URL #3559

putyourlightson opened this issue Dec 14, 2018 · 5 comments

Comments

@putyourlightson
Copy link

putyourlightson commented Dec 14, 2018
edited

From the docs (https://docs.craftcms.com/v3/sites.html#site-url):

Don’t ever use the @web alias when defining your sites’ Base URLs. It could introduce a cache poisoning vulnerability, and Craft won’t be able to reliably determine which site is being requested.

I completely agree with the warning about using @web in a site's base URL and therefore suggest changing the "Base URL" description text when editing a site in the control panel to something more appropriate.

screenshot 2018-12-14 at 18 07 55
@putyourlightson putyourlightson changed the title Discourage use of @web in Base URL Discourage use of @web in base URL Dec 14, 2018
@brandonkelly
Copy link
Member

Yeah agree. We’re going to to move away from it (and aliases in general) in 3.1 in favor of environment variables thanks to the new support for them in CP settings (https://github.com/craftcms/cms/blob/3.1/docs/config/environments.md#control-panel-settings).

@putyourlightson
Copy link
Author

Perfect, thanks!

@brandonkelly brandonkelly reopened this Dec 15, 2018
@brandonkelly brandonkelly mentioned this issue Dec 17, 2018
Closed
brandonkelly added a commit that referenced this issue Dec 29, 2018
@brandonkelly
@web => $DEFAULT_SITE_URL
242da3a 
Resolves #3559
@brandonkelly
Copy link
Member

As of the next Craft 3.1 beta release, the web and CLI installers will no longer suggest @web for the site URL, and whatever URL is entered will be saved as a DEFAULT_SITE_URL environment variable in .env, and the actual site URL that gets stored will be replaced with $DEFAULT_SITE_URL (see 96867ed).

brandonkelly added a commit that referenced this issue Jan 11, 2019
@brandonkelly
Move #3559 release note to Security
5594167
@jorenvanhee
Copy link

The CLI installer still uses @web as default site URL. Site URL: [@web/]

@brandonkelly
Copy link
Member

That will only happen if you are installing with a config/project.yaml file already in place that defines a primary site with the baseUrl set to @web, or if you have a DEFAULT_SITE_URL environment variable defined, which is set to @web. In either case, Craft will just go with the flow. Otherwise no it will not recommend @web out of the blue anymore.

This was referenced Jun 16, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandonkelly @jorenvanhee