What can threaten the dot at the end of the domain name
There is such a thing as a root domain , respectively, at the end of each domain there is a point. You may not even suspect that your site is accessible by a domain name with a dot at the end (domain.zone.), Since browsers allow you to access sites with or without a dot at the end of the domain.
Here you can read more about the full and relative domain names.
If you do not take into account the fact that a user may accidentally enter a domain name with a dot at the end or follow the link from the “well-wisher” and get to the domain name of your site with a dot at the end, there is a possibility of the following unforeseen situations:
1) If the website works over HTTPS, when accessing the domain name with a dot at the end, the browser will issue a warning about an untrusted connection, which the user will be somewhat surprised by.
')
2) Authorization may not work, because Cook often placed on the domain name without specifying a dot at the end. The user in this case will long wonder why he can not log in. It is noteworthy that if you set a cookie on a domain name with a dot at the end, it will NOT be transferred to the domain name without a dot at the end and vice versa.
3) JavaScript on the page may break if the probability of access to the site by the domain name with a dot at the end is not taken into account, which is unacceptable for substantial resources.
4) There may be problems with caching pages on the site (for example, the same www.cloudflare.com simply does not allow clearing the cache of individual pages with a dot at the end, indicating that the wrong domain name is indicated).
5) If you rely on a specific domain name ( % {HTTP_HOST} in Apache, $ http_host in Nginx) in a web server configuration without a dot at the end, a variety of unforeseen situations are possible: unexpected redirects, wonders with basic authentication and etc.
6) If the web server is not configured to service a domain name with a dot at the end, the user, by accidentally typing a dot at the end of the domain, will see something like: Bad Request - Invalid Hostname.
7) Theoretically, search engines may consider that duplication of content takes place on your resource if someone accidentally or intentionally places links to pages on your site with a dot at the end of the domain name (if you have information about whether the search engines perceive the domain. zone and domain.zone. as one domain - welcome to comments on the topic).
To avoid part of the above problems will allow redirect from a domain name with a dot to a domain name without a dot:
Apache (.htaccess)
Nginx (nginx.conf)
IIS (web.config)
Facebook
https://www.facebook.com.
Redirects to www.facebook.com (after an agreement with a warning about an untrusted connection).
Megaupload
https://mega.co.nz./#login
Authorization successfully works, but after switching to a domain without a dot at the end of https://mega.co.nz , the user is considered unauthorized.
Stack overflow
http://stackoverflow.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
Github
https://github.com./login
Authorization does not work.
Twitter
https://twitter.com.
404 - Page not found.
Yahoo
https://login.yahoo.com.
Authorization does not work.
Wikipedia
http://en.wikipedia.org./w/index.php?title=Special:UserLogin
Authorization does not work.
MSN
http://msn.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
Microsoft
http://microsoft.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
ebay
https://signin.ebay.com./ws/eBayISAPI.dll?SellItem
Authorization successfully fulfills.
Tumblr
http://www.tumblr.com.
Not found.
Flickr
http://www.flickr.com.
Sorry, Flickr does not allow embedding in an iframe.
Dropbox
www.dropbox.com./login
Error (403) It seems you were trying to do something strange. Did you log in to another Dropbox account in the next window?
VK
http://vk.com.
Authorization does not work.
JavaScript Error: "NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN: Illegal document.domain value" vk.com. (line 41)
Alexa
https://www.alexa.com.
Redirects to www.alexa.com
Yandex Mail
https://mail.yandex.ru.
Authorization successfully fulfills and redirects to mail.yandex.ru/neo2/#inbox
Yandex Search
www.yandex.ru .
JavaScript Error: “NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN: Illegal document.domain value” www.yandex.ru . (line 5)
Habrahabr
http://habrahabr.ru./login/
Authorization does not work.
Mail.ru
http://mail.ru.
Configured redirect to mail.ru
https://e.mail.ru./cgi-bin/login
Authorization does not work.
UPD:
1) In Nginx, you will not be able to configure a virtual server by specifying a fully-qualified domain name as server_name ( # comment_6011533 ):
Here you can read more about the full and relative domain names.
Possible problems
If you do not take into account the fact that a user may accidentally enter a domain name with a dot at the end or follow the link from the “well-wisher” and get to the domain name of your site with a dot at the end, there is a possibility of the following unforeseen situations:
1) If the website works over HTTPS, when accessing the domain name with a dot at the end, the browser will issue a warning about an untrusted connection, which the user will be somewhat surprised by.
')
2) Authorization may not work, because Cook often placed on the domain name without specifying a dot at the end. The user in this case will long wonder why he can not log in. It is noteworthy that if you set a cookie on a domain name with a dot at the end, it will NOT be transferred to the domain name without a dot at the end and vice versa.
3) JavaScript on the page may break if the probability of access to the site by the domain name with a dot at the end is not taken into account, which is unacceptable for substantial resources.
4) There may be problems with caching pages on the site (for example, the same www.cloudflare.com simply does not allow clearing the cache of individual pages with a dot at the end, indicating that the wrong domain name is indicated).
5) If you rely on a specific domain name ( % {HTTP_HOST} in Apache, $ http_host in Nginx) in a web server configuration without a dot at the end, a variety of unforeseen situations are possible: unexpected redirects, wonders with basic authentication and etc.
6) If the web server is not configured to service a domain name with a dot at the end, the user, by accidentally typing a dot at the end of the domain, will see something like: Bad Request - Invalid Hostname.
7) Theoretically, search engines may consider that duplication of content takes place on your resource if someone accidentally or intentionally places links to pages on your site with a dot at the end of the domain name (if you have information about whether the search engines perceive the domain. zone and domain.zone. as one domain - welcome to comments on the topic).
Decision
To avoid part of the above problems will allow redirect from a domain name with a dot to a domain name without a dot:
Apache (.htaccess)
RewriteCond %{HTTP_HOST} !^domain\.zone$ RewriteRule ^(.*)$ http://domain.zone/$1 [L,R=301] Nginx (nginx.conf)
if ($http_host != 'domain.zone') { return 301 http://domain.zone$request_uri; } IIS (web.config)
<httpRuntime relaxedUrlToFileSystemMapping="true"/> <rule name="point" stopProcessing="true"> <match url="^(.*)\.$" /> <action type="Redirect" url="{R:1}" redirectType="Temporary" /> </rule> Reconnaissance
https://www.facebook.com.
Redirects to www.facebook.com (after an agreement with a warning about an untrusted connection).
Megaupload
https://mega.co.nz./#login
Authorization successfully works, but after switching to a domain without a dot at the end of https://mega.co.nz , the user is considered unauthorized.
Stack overflow
http://stackoverflow.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
Github
https://github.com./login
Authorization does not work.
https://twitter.com.
404 - Page not found.
Yahoo
https://login.yahoo.com.
Authorization does not work.
Wikipedia
http://en.wikipedia.org./w/index.php?title=Special:UserLogin
Authorization does not work.
MSN
http://msn.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
Microsoft
http://microsoft.com.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
ebay
https://signin.ebay.com./ws/eBayISAPI.dll?SellItem
Authorization successfully fulfills.
Tumblr
http://www.tumblr.com.
Not found.
Flickr
http://www.flickr.com.
Sorry, Flickr does not allow embedding in an iframe.
Dropbox
www.dropbox.com./login
Error (403) It seems you were trying to do something strange. Did you log in to another Dropbox account in the next window?
VK
http://vk.com.
Authorization does not work.
JavaScript Error: "NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN: Illegal document.domain value" vk.com. (line 41)
Alexa
https://www.alexa.com.
Redirects to www.alexa.com
Yandex Mail
https://mail.yandex.ru.
Authorization successfully fulfills and redirects to mail.yandex.ru/neo2/#inbox
Yandex Search
www.yandex.ru .
JavaScript Error: “NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN: Illegal document.domain value” www.yandex.ru . (line 5)
Habrahabr
http://habrahabr.ru./login/
Authorization does not work.
Mail.ru
http://mail.ru.
Configured redirect to mail.ru
https://e.mail.ru./cgi-bin/login
Authorization does not work.
UPD:
1) In Nginx, you will not be able to configure a virtual server by specifying a fully-qualified domain name as server_name ( # comment_6011533 ):
server { server_name domain.zone. ; ... } Source: https://habr.com/ru/post/172999/
All Articles