36
I built a full-stack app, how should I host it? (programming.dev)
submitted 2 weeks ago by echodrift@programming.dev to c/programming@programming.dev
8 comments fedilink hide all child comments

So basically I built a backend with some working endpoint and I built a React Frontend. I can run both things locally and I hosted the page on Cloudflare pages which is working. But now I’m wondering if that’s a good idea?

I have never done this before and I’m wondering if it’s secure enough to host the backend on some server and allow a CORS header to let the Frontend generate requests?

The alternative would be to host Frontend and backend on a VPS and then route my domain that I bought on Cloudflare there, but then I’m thinking that in case my Frontend is insecure somehow the whole instance would be compromised, no?

I hope this is the right platform to ask as I’m pretty new here.

you are viewing a single comment's thread
view the rest of the comments
[-] MajorHavoc@programming.dev 12 points 2 weeks ago* (last edited 2 weeks ago)

I have never done this before and I’m wondering if it’s secure enough to host the backend on some server and allow a CORS header to let the Frontend generate requests?

As long as you can get it working without putting any wildcards (asterix *) in your CORS headers, you're using CORS as intended, and should be fine.

The alternative would be to host Frontend and backend on a VPS and then route my domain that I bought on Cloudflare there, but then I’m thinking that in case my Frontend is insecure somehow the whole instance would be compromised, no?

Back in my day we almost always hosted the front end and the back end on the same host. Of course, we also did a lot of stupid shit back then.

It's not a disaster to host them the same place, but it's certainly not a best practice. It's better to get the CORS headers working, if you can. But just hosting them the same place isn't, by itself, a security issue. It enables a shit ton of other security mistakes to be cause a lot more harm. But it's not, itself, a problem.

Edit: Bonus tip. You probably know this, but lots of newbies miss it. Every piece of code and config in your front end app is optional to me and to all bad actors. So take care you don't put any important secrets or critical defensive decision logic there.

[-] echodrift@programming.dev 2 points 2 weeks ago

Thanks, this is reassuring. Yeah I don’t really know what I’m doing with the headers but trying my best to be as restrictive as possible. I think I’m still doing something wrong with the headers because I can’t seem to connect to the backend when the fronting is deployed.

Yeah I’m super paranoid about what I’m exposing, I made sure that there are no environment variables or secrets exposed.

[-] MajorHavoc@programming.dev 2 points 2 weeks ago

Hang in there. CORS is a huge pain in the ass on the best day.

That said, if the issue is CORS, there should be a pretty specific message in the browser debug menu. Note that, if I've read that page correctly, the error won't be available to JavaScript runtime, as an intentional security "feature".

this post was submitted on 15 Dec 2024
36 points (100.0% liked)

Programming

17701 readers
6 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz