# Hardcoded Domain in HTML #### Tools recognizing this: Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL ## What is Hardcoded Domain in HTML and How Does it Work? Hardcoded domains in HTML refer to the practice of embedding absolute URLs with specific domain names directly in the HTML code. This can lead to security vulnerabilities and maintenance issues, particularly when: * The application needs to be deployed across different environments * The domain needs to change in the future * Content needs to be served from different CDNs * SSL/TLS protocols need to be enforced consistently This guide covers hardcoded domain vulnerabilities, examples, prevention methods, and how to implement secure domain references in your HTML code. ## One Simple Hardcoded Domain Example Consider this classic example of a hardcoded domain: {% code overflow="wrap" %} ```html

``` {% endcode %} These hardcoded URLs can cause issues when: • Moving between development and production environments • Switching between HTTP and HTTPS • Changing content delivery networks ## Hardcoded Domain Prevention Methods: How to Fix Your Code The most efficient way to fix hardcoded domain issues is to use protocol-relative URLs or environment variables for domain configuration. This allows for flexible deployment across different environments while maintaining security. ### Code Samples {% tabs %} {% tab title="CDN Resources" %} **Vulnerable Code** ```html ``` **Fixed Code** ```html ``` **Fix Explanation** The vulnerable code uses hardcoded HTTP protocol.The fix uses protocol-relative URLs (starting with //).Added integrity hashes for security.Added crossorigin attribute for proper CORS handling. {% endtab %} {% tab title="Internal Resources" %} **Vulnerable Code** ```html

About ``` **Fixed Code** ```html

About ``` **Fix Explanation** The vulnerable code uses absolute URLs with hardcoded domains.The fix uses relative paths from the root.Allows for flexible deployment across different domains.Automatically adapts to the current protocol (HTTP/HTTPS). {% endtab %} {% tab title="Environment Variables" %} **Vulnerable Code** ```html ``` **Fixed Code** ```html ``` **Fix Explanation** The vulnerable code hardcodes production URLs.The fix uses environment variables for domain configuration.Allows for different URLs in development and production.Enables easy CDN configuration changes. {% endtab %} {% tab title="Dynamic URLs" %} **Vulnerable Code** ```html ``` **Fixed Code** ```html ``` **Fix Explanation** The vulnerable code uses hardcoded domains for API endpoints.The fix uses relative paths and dynamic URL generation.Automatically adapts to the current domain and protocol.Maintains flexibility for different deployment environments. {% endtab %} {% tab title="Mixed Content" %} **Vulnerable Code** ```html ``` **Fixed Code** ```html ``` **Fix Explanation** The vulnerable code uses HTTP protocol, causing mixed content warnings.The fix enforces HTTPS for all external resources.Prevents security warnings in modern browsers.Ensures secure content delivery. {% endtab %} {% endtabs %} ## Need more help in preventing Hardcoded Domain vulnerabilities? [Mobb](https://mobb.ai) supports fixing many forms of Hardcoded Domain vulnerabilities, and can mitigate your issues in batch. Start now for free at [app.mobb.ai](https://app.mobb.ai) ### We'd love your feedback! We're excited to hear your thoughts and ideas about fixing vulnerabilities. [Book a meeting](https://calendly.com/mobbai/demo) or [Contact us](https://content.mobb.ai/contact) if you have any corrections, questions or suggestions. Start now for free at