Cms: Discourage use of @web in base URL

Created on 14 Dec 2018 · 5Comments · Source: craftcms/cms

From the docs (https://docs.craftcms.com/v3/sites.html#site-url):

Don’t ever use the @web alias when defining your sites’ Base URLs. It could introduce a cache poisoning vulnerability, and Craft won’t be able to reliably determine which site is being requested.

I completely agree with the warning about using @web in a site's base URL and therefore suggest changing the "Base URL" description text when editing a site in the control panel to something more appropriate.

screenshot 2018-12-14 at 18 07 55

Source

putyourlightson

Most helpful comment

As of the next Craft 3.1 beta release, the web and CLI installers will no longer suggest @web for the site URL, and whatever URL is entered will be saved as a DEFAULT_SITE_URL environment variable in .env, and the actual site URL that gets stored will be replaced with $DEFAULT_SITE_URL (see 96867edd04d9e85f7727ee45a67fb95bcb5dde9f).

brandonkelly on 29 Dec 2018

👍2

All 5 comments

Yeah agree. We’re going to to move away from it (and aliases in general) in 3.1 in favor of environment variables thanks to the new support for them in CP settings (https://github.com/craftcms/cms/blob/3.1/docs/config/environments.md#control-panel-settings).

brandonkelly on 14 Dec 2018

👍2

Perfect, thanks!

putyourlightson on 15 Dec 2018

brandonkelly on 29 Dec 2018

👍2

The CLI installer still uses @web as default site URL. Site URL: [@web/]

jorenvanhee on 19 Feb 2019

That will only happen if you are installing with a config/project.yaml file already in place that defines a primary site with the baseUrl set to @web, or if you have a DEFAULT_SITE_URL environment variable defined, which is set to @web. In either case, Craft will just go with the flow. Otherwise no it will not recommend @web out of the blue anymore.

brandonkelly on 19 Feb 2019

Was this page helpful?

0 / 5 - 0 ratings