[lucideer]

> how do I protect my site or sites of clients from being subjected to this. Is there anything proactive that can be done?

Some steps to prevent this happening to you:

1. Host only code you own & control on your own domain. Unless...

2. If you have a use-case for allowing arbitrary users to publish & host arbitrary code on a domain you own (or subdomains of), then ensure that domain is a separate dedicated one to the ones you use for your own owned code, that can't be confused with your own owned hosted content.

3. If you're allowing arbitrary members of the public to publish arbitrary code for preview/testing purposes on a domain you own - have the same separation in place for that domain as mentioned above.

4. If you have either of the above two use-cases, publish that separated domain on the Mozilla Public Suffix list https://publicsuffix.org/

[vintagedave]

That would protect your domains from being poisoned by arbitrary publishing, but wouldn't it risk all your users being affected by one user publishing?

[lucideer]

Allowing user publishing is an inherent risk - these are good mitigations but nothing will ever be bulletproof.

The main issue is protecting innocent users from themselves - that's a hard one to generalise solutions to & really depends on your publishing workflows.

Beyond that, the last item (Public Suffix list) comes with some decent additional mitigations as an upside - the main one being that Firefox & Chrome both enable more restrictive cookie settings while browsing any domains listed in the public suffix list.

---

All that said - the question asked in the comment at the top of the thread wasn't about protecting users from security risk, but protecting the domain from being flagged by Google. The above steps should at least do that pretty reliably, barring an actual legitimate hack occurring.

[asimpleusecase]

Thank you for your thoughtful and helpful reply.