I'm relatively new to Firebase Hosting. I have a web app that I'm working on and I have 2 Firebase Projects setup: 1 for my Production environment and 1for my Staging environments.
Ideally, I would want my Staging environment to NOT be indexed by Google.
Does anybody know if Google crawls Firebase hosted sites by default? If so, is the best way to prevent that to add a robots.txt that disallows all?
Any information would be much appreciated.
I don't think Google treats a web app hosted on firebase any differently than a web app hosted anywhere else; Google automatically indexes everything it can find. Officially, Google finds websites by looking for links and sitemaps. So, if your staging environnement is not linked to anywhere and you don't submit a sitemap directly to Google, in theory you shouldn't get indexed.
But, I wouldn't just count on the fact that you're not putting links out there. Links might find themselves online for some reason at some point in the future.
You could add a robots.txt to your staging site with this value:
User-agent: *
Disallow: /
But in my experience, an even better solution is to make your staging site unaccessible without a username/password. That way, Google's bot won't be able to index anything else than a login form. And if people do find your staging URL, they won't be able to see what's going on there.
Most people actually try hard to be indexed very high and it's not that simple. Since your goal is to NOT rank high, should be very easy. It's like trying to not win a game.
Related
I have decided to switch my customer base over to email link sign in with Firebase rather than Google/Email/Apple that I was previously doing.
I got everything set up, tested, and all was working well. Since I have now released customer wide I am starting to run into issues.
Some customers, including gmail users are getting a Suspicious email alert due to having a firebaseapp.com link in it. Today, I created a brand new project for a customer and went to log in for the first time, Gmail as all good, but now Chrome is giving me a "Deceptive site ahead" error page saying this website does phishing (the subdomain is about 6 hours old).
Can anyone think of an appropriate solution for this, or will I have to do some URL rewriting?
It is frustrating the firebase URLs are so blacklisted across the internet(I have had to omit storage url links for pictures and make custom emails altogether since the domain is banned by Exchange), I would think this should be much easier than it is being made out to be.
When I first ran into the Gmail issue the only thing Firebase support gave me as a solution is to build my own custom email handler. In following that, I assume I would either need to rewrite the domain after generating the sign in link, which I am a bit hesitant to do in case there are domain changes in the future or I wondered if updating my email template domain will solve the problem. When I started this process I realized I needed to update my DNS records for this. The problem here is that I whitelabel apps and have 150 projects or so and each customer gets their own project. The management of this is really not feasible.
I have dynamic links enabled for all projects and use the projectid.page.link domain for them if there is some way I can get that to work as well.
Below is the scenarios I have done and facing difficulties in proceeding further.
Firebase deployed - deployed to firebaseapp.com
Created custom domain in firebase,named subdomain.mydomain.com
copied the TXT from the advanced Setting
I have domain in google. named domain.com
In domains.google.com under Custom resource records pasted the TXT text and wrote sub-domain at the place of #.
Below are my doubts
How to make firebase deploy to subdomain.mydomain.com, now
it is deploying to firebase.app.com
What else should I do to make subdomain.mydomain.com to live and show my page
Note: I just brought the domain, only basic setting like enabling security has been done.
Update the question with screenshots
1.Firebase
2.GoogleDomains verification
Thanks Mr. #FrankVanPuffelen,
I spoke with the domains.google.com support team and understood the mistake I have done.
Follow below to avoid mistakes
WARNING: Don't disturb by making any change in setting. wait for atleast 12hours(works max at 6 hours)
If it is not working don't hesitate, contact the support team and talk with them
contact me for any help if you still have an issue 😃
I am working on a Wordpress website hosted on Godaddy and struggling with a Malware issue.
Every now and then the webpages start displaying thousands of random links on top of the pages.
When I searched for the texts in the content files, the only place I could find them was in comet cache.
If I delete the cache files, the links go away but again come back after few days.
Can anyone please suggest how can I prevent such a scenario and what all steps I can take to secure my website from such vulnerabilties.
Many thanks in advance.
There's a number of things that could be causing it. Check all of the following to help remove security holes:
Are you running the latest version of WordPress? If not, there could be a known vulnerability that is being exploited.
Are all your plugins up to date? For the same reason as above - a poorly written WordPress plugin can open up security holes.
Do the WordPress files and folders have the correct CHMOD permissions on the server? If not, you're asking for trouble.
I'd recommend any/all of the following as further reading:
http://www.wpbeginner.com/wordpress-security/
https://codex.wordpress.org/Hardening_WordPress
If you don't want to do this work on your own, and you're working with GoDaddy, they offer (and now own) Sucuri which is a security service that will scan and clean your site. You can do this one-time, or pay for a monthly service that will continuously protect and restore your site.
I am in the process of creating a staging site for my woocommerce shop.
Wanting to protect access to it, I put it behind an HTTP Authorisation.
However, this means that PayPal IPN will not work.
This site is only for my testing usage. I do not want people creating accounts on it.
However, as it is supposed to be using exactly the same code base as production I cannot envisage disabling the signup code.
This is my dilemma.
What can be done to protect this site from unwanted access, still leaving it as a correct copy of production code ?
What I would do is to create a new site under another domain name or subdomain without making the DNS pointers. You would then need to set the pointer in you local hosts file. The site would then work like normal for you but without the entry in the host file you would not be able to access the website(at least not in a normal way without manipulating the requests). As you probably guessed, this is not super safe if you really don't want anyone else to access the staging site, but usually that is not a big deal. No one will end up there by misstake.
Secondly I would create a script sync the production environment to the staging environment. This can be done quite easily using WP-CLI (wp db export db-dump.sql + wp db import db-dump.sql + wp search-replace domain.com stage.domain.com).
I have the impression that there is no ideal solution to this question.
This is my solution - others may have better or alternative answers though.
I created a special sub-domain under a different domain.
I then installed all necessary code and setup the site as if it were a production site. Then I created my test accounts and disactivated all account sign-up links.
I have been able to setup paypal sandbox as well.
This gives me a staging site using the same code base as production where in I can test all changes and updates before applying them to production, without having the risk of using existing client data.
This meets my needs. I hope it may be useful for others.
I'm looking into building database driven websites based on opensource platforms in a sandbox area rather than having them accessible via the final URL until clients have paid up.
Is anyone aware of any problems this may cause with paths or functionality, or, know of any good articles on the subject?
many thanks
Shaun
There is no bad effect on functionality just because it is in sandbox. Generally, Joomla is almost location independent (untill and unless you are driving multiple websites from same joomla installation)
For security purpose secure the URL via .htaccess file (if more security required then setup a cron to update password every X hours, and email new details to user)
I would suggest having a cut-down, less privileged or demo account for signup users that can still enjoy the overall experience of your site without the full functionality of your killer-webapp services. "Restricting" them in a Sandbox area that is not even the actual site would not be as appealing and convincing as it could be for them to go from "freemium to premium" customers.
I develop all joomla sites on a local server and then upload to the production server once approved. In Joomla, when I upload the files to the production server, I usually need to change the mysql server as well and it can all be changed from the configuration.php file