add projects.staging.oryapis.dev

[tricky42]

Public Suffix List (PSL) Submission

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _psl TXT record in place in the respective zone(s).

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• Cloudflare
• Let's Encrypt
• MAKE SURE UPDATE THE FOLLOWING LIST WITH YOUR LIMITATIONS! REMOVE ENTRIES WHICH DO NOT APPLY AS WELL AS REMOVING THIS LINE!

• This request was not submitted with the objective of working around other third-party limits.

• The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, and responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.

• The Guidelines were carefully read and understood, and this request conforms to them.
• The submission follows the guidelines on formatting and sorting.

Abuse Contact:
eMail: [email protected]

• Abuse contact information (email or web form) is available and easily accessible.
  URL where abuse contact or abuse reporting form can be found:
  eMail: [email protected]

---

For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies and cause other issues, and the rollback timing is acceptable. Proceed anyways.

---

Description of Organization

Ory is a modern Identity and Access Management (IAM) platform providing Identity & Login Management, OAuth2/OIDC, and Permission Management through Ory Network, our cloud service. We serve hundreds of customers globally, managing over 100 million identities. While Ory offers various deployment options including open-source and enterprise licenses, this PSL request concerns Ory Network, our instant-on global identity system where each customer project receives its own subdomain for accessing identity services.
Our platform combines enterprise-grade security with developer-friendly implementations, making it a trusted choice for organizations requiring solutions that balance user experience, privacy, and security. A key component of our security architecture is our cookie-based security model for browser applications. Instead of using token storage in localStorage or document.cookies, we implement HTTP cookies with strict security flags (secure, httpOnly, sameSite=Strict), providing best-in-class protection against common browser attack vectors such as XSS and CSRF.

Organization Website:
https://www.ory.sh

Reason for PSL Inclusion

Before adding our production domain (projects.oryapis.com) to the PSL, we need to validate in our staging environment that this change does not negatively impact our customers' authentication systems. Therefore, we first require PSL inclusion for our staging domain projects.staging.oryapis.dev.
Our cookie-based security model (detailed at https://www.ory.sh/docs/security-model) is core to our browser security architecture. Instead of using traditional token-based methods, we implement HTTP cookies with strict security flags (secure, httpOnly, sameSite=Strict) to store session states and protect against common attack vectors like XSS and CSRF. This approach requires strict cookie isolation between different project subdomains.
The staging environment mirrors our production setup, allowing us to thoroughly test the PSL integration and validate these critical security boundaries before affecting hundreds of customers' authentication systems. Each subdomain serves a different customer's authentication and identity management APIs, making proper domain isolation essential for our security architecture.

Number of users this request is being made to serve:
Hundreds of customers use our services to manage over 100 million identities.

DNS Verification

❯ dig +short TXT _psl.projects.staging.oryapis.dev
"https://github.com/publicsuffix/list/pull/2288"

[simon-friedberger]

1. How exactly are you planning to evaluate impact? I am generally against adding testing and staging environments. They should not have "production" secrets and should therefore be unnecessary.
2. You seem to be in control of the cookies, can you just use __Host- cookies?

[tricky42]

Hi Simon,

thanks for your quick response.

How exactly are you planning to evaluate impact? I am generally against adding testing and staging environments. They should not have "production" secrets and should therefore be unnecessary.

We have extensive E2E tests, which would allow us to validate that there are no unforeseen problems before rolling out the change to production. While we understand your stance that, in general, you are against adding non-prod environments. We hope you understand the impact this change can have on our customer base; therefore, we require validation on staging before we can roll out this configuration to prod.

You seem to be in control of the cookies, can you just use __Host- cookies?

Yes, we are in control of the cookies. While we appreciate the security benefits of __Host- cookies, Ory Network cannot implement them without significant changes to our current architecture and functionality. Our system relies on configuring cookie domains and paths to support multi-domain setups and provide flexibility for various deployment scenarios. __Host- cookies strictly require the absence of a Domain attribute and a fixed Path of ‘/’, which would remove essential customization options our users depend on. Additionally, our cookie-based security model already implements strong protections such as Secure, HttpOnly, and SameSite attributes, which address many of the same security concerns as __Host- cookies. Switching to __Host- cookies would require us to redesign core components of our service and potentially break compatibility for many of our users’ existing configurations.

[simon-friedberger]

"We have extensive E2E tests," doesn't really help me understand how it works. Do you have a bot visit sites with a browser? Why not modify that browser to use a testing list? If we make the requested PSL changes, when will your test setup pick up on those changes?

[wdhdev]

• Expiration (Note: Must STAY >2y at all times)
  • oryapis.dev expires 2025-09-29
• DNS _psl entries (Note: Must STAY in place)
  • _psl.projects.staging.oryapis.dev
• Sorting
• Reasoning/Organization description
• Non-personal email address

---

Notes:

• I can't seem to find any actual evidence of subdomain usage from my sources. Are you able to confirm the structure of this nested subdomain?
  • SSL logs: https://crt.sh/?q=projects.staging.oryapis.dev - Only the default Cloudflare-issued wildcards are displaying, are you serving content via HTTP and then just relying on CF proxy for SSL?
  • No results on https://subdomainfinder.c99.nl
  • No results when searching site:projects.staging.oryapis.dev on Google.
• oryapis.dev expires 2025-09-29, this must be above 2 years, please renew it accordingly.

[wdhdev]

@tricky42 Do you still need this request? We haven't received a response in over 15 days.