---
title: Host Apps On Different Hostnames
impact: MEDIUM
impactDescription: provides cookie and origin isolation between different environments and apps
tags: hostname, isolation, same-origin, security, php
---

## Host Apps On Different Hostnames

When multiple applications or environments (e.g., Admin and User faces) share the same hostname, they also share cookies, `localStorage`, and `sessionStorage`. This "Same-Origin" behavior allows a vulnerability in one part of the site to affect all others on that same host.

**Incorrect (shared hostname):**

```text
https://company.com/blog     # Public blog
https://company.com/portal   # Sensitive user portal
https://company.com/admin    # Admin panel
# All share the Same Origin!
```

**Correct (isolated hostnames):**

```text
https://blog.company.com     # Public blog
https://portal.company.com   # Sensitive user portal
https://admin.company.com    # Admin panel
# Each has isolated storage and cookies
```

**Benefits of Isolation:**
- **Cookie Security**: A session token for `portal.company.com` won't be sent automatically to `blog.company.com`.
- **Origin Isolation**: Scripts on the blog cannot access the DOM or storage of the portal via the "Same-Origin Policy".
- **CORS Control**: You can explicitly define which subdomains are allowed to communicate via CORS.

**PHP/Laravel Implementation (CORS):**

```php
// config/cors.php
'allowed_origins' => [
    'https://portal.company.com',
    'https://admin.company.com',
],
'supports_credentials' => true,
```

**Why it matters?**
If an attacker finds an XSS vulnerability on your blog (`company.com/blog`), they could steal the session cookie used for your portal (`company.com/portal`) because they share the same origin. Hosting them on separate subdomains prevents this trivial bypass.

**Tools:** Infrastructure planning, Nginx/Apache Virtual Hosts, Security Headers