Addressing Security Risks: Preventing Exposure of Azure URLs in Umbraco Cloud via Cloudflare

[Nikhilgirirajdigital]

Issue description

Umbraco Cloud uses Cloudflare, but we notice that Google indexes the customer's Azure URL, this is dangerous as it exposes Cloud customers to DoS & DDoS attacks, without the protection from Cloudflare. We could manually fix them per project with redirects, but shouldn't Umbraco Cloud not expose these Azure URLs in the first place?

[Jette94]

Hi @Nikhilgirirajdigital

We do have a workaround for this issue in the docs: https://docs.umbraco.com/umbraco-cloud/set-up/project-settings/manage-hostnames/rewrites-on-cloud#troubleshooting

Hope that helps 😁

[c9mb]

Being pedantic - the example pattern given in the docs really should be escaping the 2 dots rather than accepting any single character in those positions: ^(.*)?\.azurewebsites\.net$

However, even that is still a clunky workaround, and has limitations as specified in the docs.

Perhaps Umbraco should be redirecting from ^(.*)?\.azurewebsites\.net$ to https://native-host.umbraco.io/{R:0} as a default transform-rule for the live environment, which will in-turn be redirected if/when a custom domain is applied.