Never Host IPFS on the Same Domain as Your App
If your main app runs on example.com, never host your IPFS gateway on ipfs.example.com. It’s a security time bomb.
Why? Because if someone uploads a malicious XSS payload—say, an HTML image or script file—and it lands at something like ipfs.example.com/ipfs/xss-image, your browser sees that as the same origin. Which means:
- Any script loaded from ipfs.example.com can access cookies and localStorage from example.com
- That includes auth tokens, session IDs, and anything else sensitive
Boom—your app is compromised. Game over.
Best practices
- Serve IPFS from a completely separate domain like ipfs-example.net
- Lock down cookies with the Domain=example.com; HttpOnly; Secure; SameSite=Strict flags
- Never allow untrusted content to share an origin or subdomain tree with your core app
Security starts at the domain level. Don't let decentralized storage punch a hole in your centralized app. We follow the same on Hey