Hi!
I love the generated preview domains that need authentication to be accessed, but it just hit me that (git connected) production deploys with a custom domain always will have at least 3 domains connected to it.
I’m talking about production deploys. Lets say I have a team named foo and a project called bar. I’ve assigned the custom domain bar.com and deleted bar.vercel.app from domains. So far so good.
My bar-app is deployed to production when I merge into main. After the merge my site is now available world-wide on 3 domains:
- bar.com (set up by me)
- bar-foo.vercel.app (auto generated by Vercel)
- bar-git-main-foo.vercel.app (auto generated by Vercel)
I have enabled “Standard Protection (recommended)”, but this does not restrict access to the auto generated domains.
There are some reasons why I feel this is bad:
- Content should not be duplicated on different domains (both for SEO and privacy/control).
- Search results and indexing. I don’t want my content to be indexed on other domains and show up in the search results.
- DDoS protection or other configs can be bypassed by using the vercel domains (e.g. if I have Cloudflare in front of bar.com)
- Having more domains available for the same content puts more responsibility on the developer and SEO in general. E.g. setting correct canonical URLs no matter what domain the user visits from, disable robots if it’s an vercel.app url, ++.
- Surprising behaviour. Even though I’ve added my custom domain and removed the vercel.app domain from domains my site is still available for all on domains I have not set up.
- Less control of domains / still available content on Vercel domains after my site or domain is deleted.
I also find the docs a bit misleading:
-
If I manually re-deploy the site I see the following message:
But it will actually be available on two more domains. -
If I go to Settings → Deployment Protection and hover “Standard Protection (recommended)” it says that all 3 domains will be available (true):
but if f I enable “Standard Protection (recommended)” and click the “Migrating to Standard Protection” link the docs tell me the following (not true?):
Is this the expected behaviour? Am I misinterpreting the docs?
I assume there is a good reason behind having the domains public for all, but it would be nice if the Vercel team could elaborate on this.
For now I guess a fix could be to redirect or password protect the site with a middlware if the site is visited from an auto generated domain. But to be fair I don’t think this is the developers responsibility to deal with.
I found some other issues / questions regarding the same topic:
- Remove Vercel Deployment Aliases
- How to disable the default domain name completely? · vercel/vercel · Discussion #6525 · GitHub
- How to remove the extra domains? · vercel/vercel · Discussion #5711 · GitHub
- How do I disable the two other vercel.app domains for a deployed project? - Stack Overflow
- Removing the default assigned domain name from Vercel
