Custom domains

Apply your own domain names to BreachFix Cloud web services and static sites. Your service keeps its default {serviceId}.breachfix.com URL (e.g. srv-abc123.breachfix.com) in addition to any custom domains you add.

Overview

  • Default service URLs use platform TLS (Cloudflare Universal SSL on *.breachfix.com).
  • Custom external domains use customer-managed TLS at your DNS provider in v1.
  • Routing activates immediately after DNS verification — no redeploy required.

1. Add your domain in the dashboard

  1. Open your service in the BreachFix Cloud dashboard.
  2. Go to Settings and scroll to Custom domains.
  3. Enter your domain (e.g. app.example.com) and click Add domain.

If your domain includes Unicode characters, convert it to Punycode first (e.g. ëxample.com xn--xample-ova.com).

DNS instructions appear immediately after you add the domain.

2. Configure DNS with your provider

Remove any AAAA records from your domain while configuring DNS. AAAA records map to IPv6 addresses and can cause unexpected behavior.

Point your domain to your service's default host ({serviceId}.breachfix.com), shown in the dashboard:

  • Subdomains (e.g. www.example.com): add a CNAME record.
  • Root/apex domains (e.g. example.com): use ANAME, ALIAS, or CNAME flattening if your provider supports it; otherwise CNAME www and redirect apex separately.

Provider-specific guides:

3. Verify your domain

  1. Return to Settings → Custom domains in the dashboard.
  2. Click Verify next to your domain.
  3. If verification fails, DNS may still be propagating — wait a few minutes and try again. Use dig CNAME your.domain +short to confirm the record points to your service host.
  4. When verification succeeds, routing is active. Configure TLS at your DNS provider if you have not already.

TLS for custom domains

BreachFix Cloud automatically provides TLS for default {serviceId}.breachfix.com URLs. For custom domains on your own zone, you configure TLS at your DNS provider:

  • Cloudflare: set SSL/TLS mode to Full (not Full Strict) when proxying.
  • Other providers: use your provider's certificate or HTTPS termination.

Advanced

OAuth callback URLs

If your app uses OAuth, register callback URLs for your custom domain in each provider console (Google does not support arbitrary subdomain wildcards).

Wildcard domains

Wildcard custom domains (e.g. *.example.com) are not fully supported in v1. Add individual subdomains instead.

CAA records

If your domain defines CAA records, ensure your TLS provider can issue certificates for your custom domain configuration.