Never Host IPFS on the Same Domain as Your App

If your main app runs on example.com, never host your IPFS gateway on ipfs.example.com. It's a security time bomb.

Why? Because if someone uploads a malicious XSS payload—say, an HTML image or script file—and it lands at something like ipfs.example.com/ipfs/xss-image, your browser sees that as the same origin. Which means:

• Any script loaded from ipfs.example.com can access cookies and localStorage from example.com
• That includes auth tokens, session IDs, and anything else sensitive

Boom—your app is compromised. Game over.

Best practices

• Serve IPFS from a completely separate domain like ipfs-example.net
• Lock down cookies with the Domain=example.com; HttpOnly; Secure; SameSite=Strict flags
• Never allow untrusted content to share an origin or subdomain tree with your core app

Security starts at the domain level. Don't let decentralized storage punch a hole in your centralized app. We follow the same on Hey.