Web Dev Cody
Web Dev Cody3mo ago

Custom Convex Domain

When using a custom convex domain, is the project id obfenscated away from the end user? like is that project id embedded in any type of websocket event that someone could get to then use to hit my convex storage if they wanted?
4 Replies
Convex Bot
Convex Bot3mo ago
Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!
Web Dev Cody
Web Dev CodyOP3mo ago
my thinking is that if I added a proxy http endpoint for my images, I'd want to put it behind cloudflare cdn to cache the images and lower any convex bandwidth charges, but if the project id is discoverable to an end user, someone could easily just write a script to hit my convex.site directly and keep downloading the same file
jamalsoueidan
jamalsoueidan3mo ago
Convex as fare as I remember is working on preventingsuchattacks, they will release another way to generate the urls and such.
ian
ian3mo ago
If you want to keep things more private, here's some surface areas to look out for: 1. Places where you use process.env.CONVEX_SITE_URL or CONVEX_CLOUD_URL. Unfortunately Convex Auth currently uses those values & isn't yet customizable, so you'd have requests and cookies with the backend name. 2. In your prod deployment, set the custom VITE_CONVEX_URL env variable and pass --cmd-url-env-var-name IGNORE to npx convex deploy 3. If you generate the OpenAPI spec, its root path will not be the custom domain. Another thing you can think about is: - The file storage endpoint only works if you have the UUID generated by getUrl. - You don't have to expose that UUID or URL directly. You could have a custom http action that serves the data (can return a blob so it streams the response), based on some ID into your own table, that you could change or revoke. - You could then require that some header passed from Cloudflare is present, but haven't looked into if they offer anything to verify requests.

Did you find this page helpful?