Custom Convex Domain
When using a custom convex domain, is the project id obfenscated away from the end user? like is that project id embedded in any type of websocket event that someone could get to then use to hit my convex storage if they wanted?
4 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
my thinking is that if I added a proxy http endpoint for my images, I'd want to put it behind cloudflare cdn to cache the images and lower any convex bandwidth charges, but if the project id is discoverable to an end user, someone could easily just write a script to hit my convex.site directly and keep downloading the same file
Convex as fare as I remember is working on preventingsuchattacks, they will release another way to generate the urls and such.
If you want to keep things more private, here's some surface areas to look out for:
1. Places where you use
process.env.CONVEX_SITE_URL
or CONVEX_CLOUD_URL
. Unfortunately Convex Auth currently uses those values & isn't yet customizable, so you'd have requests and cookies with the backend name.
2. In your prod deployment, set the custom VITE_CONVEX_URL
env variable and pass --cmd-url-env-var-name IGNORE
to npx convex deploy
3. If you generate the OpenAPI spec, its root path will not be the custom domain.
Another thing you can think about is:
- The file storage endpoint only works if you have the UUID generated by getUrl.
- You don't have to expose that UUID or URL directly. You could have a custom http action that serves the data (can return a blob so it streams the response), based on some ID into your own table, that you could change or revoke.
- You could then require that some header passed from Cloudflare is present, but haven't looked into if they offer anything to verify requests.