This version of GitHub Enterprise will be discontinued on This version of GitHub Enterprise was discontinued on 2020-05-23. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Article version: Enterprise Server 2.17

Enabling subdomain isolation

You can set up subdomain isolation to securely separate user-supplied content from other portions of your GitHub Enterprise Server appliance.

In this article

About subdomain isolation

Subdomain isolation mitigates cross-site scripting and other related vulnerabilities. For more information, see "Cross-site scripting" on Wikipedia. We highly recommend that you enable subdomain isolation on your GitHub Enterprise Server instance.

When subdomain isolation is enabled, GitHub Enterprise Server replaces several paths with subdomains.

Path without subdomain isolationPath with subdomain isolation
http(s)://HOSTNAME/assets/http(s)://assets.HOSTNAME/
http(s)://HOSTNAME/avatars/http(s)://avatars.HOSTNAME/
http(s)://HOSTNAME/codeload/http(s)://codeload.HOSTNAME/
http(s)://HOSTNAME/gist/http(s)://gist.HOSTNAME/
http(s)://HOSTNAME/media/http(s)://media.HOSTNAME/
http(s)://HOSTNAME/pages/http(s)://pages.HOSTNAME/
http(s)://HOSTNAME/raw/http(s)://raw.HOSTNAME/
http(s)://HOSTNAME/render/http(s)://render.HOSTNAME/
http(s)://HOSTNAME/reply/http(s)://reply.HOSTNAME/
http(s)://HOSTNAME/uploads/http(s)://uploads.HOSTNAME/

Prerequisites

Warning: If subdomain isolation is disabled, we recommend also disabling GitHub Pages on your appliance. There will be no way to isolate user-supplied GitHub Pages content from the rest of your appliance's data. For more information, see "Configuring GitHub Pages on your appliance."

Before you enable subdomain isolation, you must configure your network settings for your new domain.

  • Specify a valid domain name as your hostname, instead of an IP address. For more information, see "Configuring a hostname."

Warning: Do not change the hostname for GitHub Enterprise Server after initial setup. Changing the hostname will cause unexpected behavior, up to and including instance outages. If you need to change the hostname for GitHub Enterprise Server, contact GitHub Enterprise Support or GitHub Premium Support.

  • Set up a wildcard Domain Name System (DNS) record or individual DNS records for the subdomains listed above. We recommend creating an A record for *.HOSTNAME that points to your server's IP address so you don't have to create multiple records for each subdomain.
  • Get a wildcard Transport Layer Security (TLS) certificate for *.HOSTNAME with a Subject Alternative Name (SAN) for both HOSTNAME and the wildcard domain *.HOSTNAME. For example, if your hostname is github.octoinc.com, get a certificate with the Common Name value set to *.github.octoinc.com and a SAN value set to both github.octoinc.com and *.github.octoinc.com.
  • Enable TLS on your appliance. For more information, see "Configuring TLS."

Enabling subdomain isolation

  1. In the upper-right corner of any page, click .
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Management Console.
    Management Console tab in the left sidebar
  3. In the left sidebar, click Hostname.
    Hostname tab in the settings sidebar
  4. Select Subdomain isolation (recommended).
    Checkbox to enable subdomain isolation
  5. Under the left sidebar, click Save settings.
    Save settings button

Ask a human

Can't find what you're looking for?

Contact us