---
title: Host Apps On Different Hostnames
impact: MEDIUM
impactDescription: enforces origin isolation to prevent cross-app data and session leakage
tags: hostname, isolation, same-origin, security, kotlin
---

## Host Apps On Different Hostnames

Hosting multiple separate applications (e.g., a customer portal and an admin dashboard) on the same hostname but different paths (e.g., `/app` and `/admin`) is risky. Because they share the same origin, they also share cookies, `localStorage`, `sessionStorage`, and `IndexedDB`.

**Incorrect (Shared Hostname):**
```text
https://company.com/portal  <-- Shared cookies/storage
https://company.com/admin   <-- Shared cookies/storage
https://company.com/blog    <-- A vulnerability in the blog can steal admin cookies!
```

**Correct (Separate Hostnames):**
```text
https://portal.company.com  <-- Isolated
https://admin.company.com   <-- Isolated
https://blog.company.com    <-- Isolated
```

**Implementation in Kotlin (CORS):**
When applications are on different hostnames, you must configure Cross-Origin Resource Sharing (CORS) to allow them to communicate safely.

```kotlin
// Ktor CORS configuration for separate origins
install(CORS) {
    allowHost("portal.company.com", schemas = listOf("https"))
    allowHost("admin.company.com", schemas = listOf("https"))
    allowCredentials = true
    allowHeader(HttpHeaders.Authorization)
    allowMethod(HttpMethod.Options)
    allowMethod(HttpMethod.Post)
}

// Spring Security
@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = listOf("https://portal.company.com")
    configuration.allowedMethods = listOf("GET", "POST", "PUT", "DELETE")
    configuration.allowCredentials = true
    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**", configuration)
    return source
}
```

**Benefits of Isolation:**
- **Cookie Security:** Admin session cookies cannot be read or overwritten by logic in the user portal.
- **Storage Security:** Sensitive data in `localStorage` is scoped only to the specific application.
- **CSRF Mitigation:** Attacking one app from another becomes much harder as they are seen as different origins.
- **Blast Radius:** A XSS vulnerability in a less-secure part of the site (like a blog or forum) cannot easily pivot to the highly-sensitive admin panel.

**Tools:** DNS Configuration, Load Balancer (NGINX/Cloudfront), Browser DevTools
