Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is Hardcoded Domain in HTML and How Does it Work?
  • One Simple Hardcoded Domain Example
  • Hardcoded Domain Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in preventing Hardcoded Domain vulnerabilities?
  • We'd love your feedback!

Was this helpful?

  1. Fixing Guides

Hardcoded Domain in HTML

Learn how to prevent hardcoded domain vulnerabilities in HTML with real code examples and best practices. Protect your web applications from security risks associated with hardcoded domains.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Hardcoded Domain in HTML and How Does it Work?

Hardcoded domains in HTML refer to the practice of embedding absolute URLs with specific domain names directly in the HTML code. This can lead to security vulnerabilities and maintenance issues, particularly when:

  • The application needs to be deployed across different environments

  • The domain needs to change in the future

  • Content needs to be served from different CDNs

  • SSL/TLS protocols need to be enforced consistently

This guide covers hardcoded domain vulnerabilities, examples, prevention methods, and how to implement secure domain references in your HTML code.

One Simple Hardcoded Domain Example

Consider this classic example of a hardcoded domain:

<script src="http://example.com/js/script.js"></script>
<img src="https://example.com/images/logo.png">

These hardcoded URLs can cause issues when:

• Moving between development and production environments • Switching between HTTP and HTTPS • Changing content delivery networks

Hardcoded Domain Prevention Methods: How to Fix Your Code

The most efficient way to fix hardcoded domain issues is to use protocol-relative URLs or environment variables for domain configuration. This allows for flexible deployment across different environments while maintaining security.

Code Samples

Vulnerable Code


Fixed Code

<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js" 
        integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44=" 
        crossorigin="anonymous"></script>
<link href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" 
      integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" 
      crossorigin="anonymous" rel="stylesheet">

Fix Explanation

The vulnerable code uses hardcoded HTTP protocol.The fix uses protocol-relative URLs (starting with //).Added integrity hashes for security.Added crossorigin attribute for proper CORS handling.

Vulnerable Code

<img src="https://myapp.com/images/logo.png">
<a href="http://myapp.com/about">About</a>

Fixed Code

<img src="/images/logo.png">
<a href="/about">About</a>

Fix Explanation

The vulnerable code uses absolute URLs with hardcoded domains.The fix uses relative paths from the root.Allows for flexible deployment across different domains.Automatically adapts to the current protocol (HTTP/HTTPS).

Vulnerable Code

<meta property="og:image" content="https://production.myapp.com/social.jpg">
<script src="https://static.myapp.com/js/main.js"></script>

Fixed Code

<meta property="og:image" content="${ASSET_URL}/social.jpg">
<script src="${CDN_URL}/js/main.js"></script>

Fix Explanation

The vulnerable code hardcodes production URLs.The fix uses environment variables for domain configuration.Allows for different URLs in development and production.Enables easy CDN configuration changes.

Vulnerable Code

<form action="https://api.myapp.com/submit" method="POST">
    <input type="hidden" name="callback" value="https://myapp.com/callback">
</form>

Fixed Code

<form action="/submit" method="POST">
    <input type="hidden" name="callback" value="<%= request.getScheme() %>://<%= request.getServerName() %>/callback">
</form>

Fix Explanation

The vulnerable code uses hardcoded domains for API endpoints.The fix uses relative paths and dynamic URL generation.Automatically adapts to the current domain and protocol.Maintains flexibility for different deployment environments.

Vulnerable Code

<script src="http://analytics.example.com/tracker.js"></script>
<iframe src="http://widgets.example.com/widget.html"></iframe>

Fixed Code

<script src="https://analytics.example.com/tracker.js"></script>
<iframe src="https://widgets.example.com/widget.html"></iframe>

Fix Explanation

The vulnerable code uses HTTP protocol, causing mixed content warnings.The fix enforces HTTPS for all external resources.Prevents security warnings in modern browsers.Ensures secure content delivery.

Need more help in preventing Hardcoded Domain vulnerabilities?

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousHttpOnly Cookie VulnerabilitiesNextHardcoded Secrets

Last updated 2 months ago

Was this helpful?

supports fixing many forms of Hardcoded Domain vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

Mobb
app.mobb.ai
Book a meeting
Contact us