Subdomain isolation securely separates user-supplied content from other portions of your GitHub Enterprise appliance. This mitigates cross-site scripting and other related vulnerabilities.

We highly recommend that you enable subdomain isolation.

Warning: If subdomain isolation is disabled, we recommend disabling GitHub Pages on your appliance. There will be no way to isolate user-supplied GitHub Pages content from the rest of your appliance's data.

When subdomain isolation is enabled, GitHub Enterprise replaces several paths with subdomains:

Original Path With subdomain isolation
http(s)://hostname/assets/ http(s)://assets.hostname/
http(s)://hostname/avatars/ http(s)://avatars.hostname/
http(s)://hostname/codeload/ http(s)://codeload.hostname/
http(s)://hostname/gist/ http(s)://gist.hostname/
http(s)://hostname/gist-assets/ http(s)://gist-assets.hostname/
http(s)://hostname/gist-raw/ http(s)://gist-raw.hostname/
http(s)://hostname/media/ http(s)://media.hostname/
http(s)://hostname/pages/ http(s)://pages.hostname/
http(s)://hostname/raw/ http(s)://raw.hostname/
http(s)://hostname/render/ http(s)://render.hostname/
http(s)://hostname/reply/ http(s)://reply.hostname/
http(s)://hostname/uploads/ http(s)://uploads.hostname/

If you decide to enable subdomain isolation, you will also need to:

  • Specify a valid domain name as your hostname (instead of an IP address).
  • Set up a wildcard DNS record or individual DNS records for the subdomains listed above. We recommend creating an A record for *.[hostname] that points to your server's IP address so you don't have to create multiple records for each subdomain.
  • Get a wildcard TLS certificate for *.[hostname] with a Subject Alternative Name (SAN) for [hostname]. For example, if your hostname is github.octoinc.com, get a certificate with the Common Name value set to *.github.octoinc.com and a SAN value set to github.octoinc.com.
  • Enable TLS on your appliance.

For more information on setting up subdomain isolation, see "Enabling subdomain isolation."