[vuln] subdomain phishing

[filippofinke]

I think we should find a safe way to tell users when they are on official stormkit services instead of those hosted on behalf of users.

For example I have the domain https://beta.stormkit.io that redirects to my personal site and I think an average user (even a developer) might fall for it thinking it's the original stormkit beta.

I have thought of several solutions:

• A different domain for user content like stormkitapps.io
• A list of reserved words that cannot be used as app display name.
• Maybe add another level to the subdomain like displayname.user-app.stormkit.io

[filippofinke]

Okay, that was a big fail.

Currently there is already another domain called stormkit.dev for user apps.

[svedova]

@filippofinke maybe a different and shorter domain can remove this confusion. We're working on a v2 for the hosting - guess we can use the new and more different domain name for v2 deployments.