---
title: Host Apps On Different Hostnames
impact: MEDIUM
impactDescription: provides cookie and origin isolation
tags: hostname, isolation, same-origin, security
---

## Host Apps On Different Hostnames

Different applications on the same hostname can access each other's cookies and storage.

**Incorrect (shared hostname):**

```
https://example.com/admin    # Admin panel
https://example.com/api      # API
https://example.com/app      # User app
# All share cookies and localStorage!
```

**Correct (separate hostnames):**

```
https://admin.example.com    # Admin panel
https://api.example.com      # API
https://app.example.com      # User app
# Each has isolated cookies and storage
```

**Benefits:**
- Cookie isolation
- localStorage isolation
- Same-origin policy protection

**Configuration in Go (CORS example):**

```go
import "github.com/rs/cors"

mux := http.NewServeMux()
handler := cors.New(cors.Options{
    AllowedOrigins: []string{
        "https://app.example.com",
        "https://admin.example.com",
    },
    AllowCredentials: true,
}).Handler(mux)
```

**Tools:** Infrastructure Planning, Security Audit
