How do I mitigate subdomain reuse?


A subdomain takeover occurs when an attacker gains control of a target domain. Typically, takeovers happen when an application is deprecated, but its old URL remains active and can still receive traffic from legacy users. An attacker can create an app at that URL and intercept the traffic and provide their own content. This can lead to phishing attacks, cookie theft, and bypassing OAuth allowlisting. You want to prevent this from happening with your app.


On June 14, 2023, Heroku will start appending 12-character random identifiers to subdomains to prevent domains from being taken over after renaming or deleting apps. The URL format is While you can't enable this on apps created prior to that date, any apps created after that date automatically mitigate subdomain reuse. The random identifier is not a part of the app name.

See the Dev Center for more info about app names and subdomains.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support