undefined | Better HN

0 pointsfreedomben2y ago0 comments

As with most things, it's a tradeoff of security vs convenience/usability. The CIA Triad comes to mind. I advocate for using separate domains for dev, staging, and prod (at least prod vs. non-prod) and for a wildcard cert for a non-prod domain, the convenience far outweighs the security risk IMHO.

But yeah generally speaking, it's best to avoid wildcards unless there's an actual benefit to using them, even when it's not a prod domain.

0 comments

couchand2y ago

And the beautiful thing about domains is that they're hierarchical, so you can arbitrarily split your trust boundaries.

blagie2y ago

A cert for .test.domain seems reasonable, for example, especially if the test infrastructure is dynamic, and you e.g. have CI/CD for a Cartesian product of:
every branch

* several test data sets

* several feature flag / configuration sets

* ...

j / k navigate · click thread line to collapse