{
    "id": "S035",
    "name": "Host separate applications on different hostnames",
    "description": "Leverage same-origin policy restrictions by hosting separate applications on different hostnames to isolate resources, cookies, and prevent cross-application attacks. Each application should have its own hostname/subdomain.",
    "category": "security",
    "severity": "medium",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "same-origin", "isolation", "cors", "hostname", "architecture"],
    "examples": {
        "valid": [
            "// Good: Separate hostnames for different apps",
            "// app1.example.com, app2.example.com, admin.example.com",
            "// API: api.example.com, Frontend: www.example.com"
        ],
        "invalid": [
            "// Bad: Same origin for multiple apps",
            "// example.com/app1, example.com/app2",
            "// Shared cookies and localStorage between apps"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule ensures applications are hosted on separate hostnames to leverage same-origin policy benefits. Same-origin policy prevents scripts from one origin accessing resources from another, isolates cookies and storage per hostname, and limits impact of XSS to single application. Avoid hosting multiple apps on same origin with path-based routing (example.com/app1, example.com/app2).",
        "url": "https://owasp.org/www-community/attacks/Cross-site_Scripting_(XSS)"
    }
}