Ask HN: How can a website copy mine in real time?
Hey everyone,
I am literally going insane since yesterday night as my website is being cloned in real time and I cannot explain how that is possible.
I use NextJS and host it on Vercel.
As soon as I deploy a change it gets copied instantly, even the API routes.
I just added a check to see if the referrer is allowed and, since they copy everything, their requests return a 401.
Mine is a .com and theirs is a .xyz
Does anyone have any idea?
Thank you
20 comments
[ 3.1 ms ] story [ 64.9 ms ] threadthere are tons of automated systems copying everything everywhere unfortunately. a lot are fairly ok to block.
There's also services you can hire or hosting providers who do some filtering for you, but those are generally more expensive than basic ones. (added security tooling around their platform)
How can I stop this?
if (req.http.host ~ "^(?i)(example.com|www.example.com)") { #redirect to https } else { return(synth(403, "Not allowed.")); }
It basically checks if the host is my domain. I don’t know know what the equivalent of `req.http.host` is on the web server you use. This "solution" might run into issues with Google Translate, but I’m not sure.
On the frontend you can also use Javascript to do the same thing and just redirect their traffic to your own (or block them).
Make sure to specify canonical tags etc too so Google doesn't think those duped domains are yours.
If you have any API routes, make sure you set up CORS and CSPs and such to block requests from unauthorized domains.
(Edit: You can probably also just throw Cloudflare in front of the whole setup: https://vercel.com/docs/integrations/external-platforms/clou...)
Look the Host header in your API backend and block it. It might be forged, but probably not.
Identify their host (reverse IP lookup) and block requests from that ASN. If they host in same place as you, complain and get them shut down (or move).
The obfuscated JS based domain checking others suggested.
None of these is perfect, but they don’t have to be. Just keep adding layers until they go away for good.
If you are worried about blocking legit users with this method, you can show a CAPTCHA instead on every request from a suspect IP.
At any rate, get their IP from your logs and run a whois on it to get their ISP and location. You could also try emailing the ISP's abuse contact or filing a DMCA complaint with their hosting provider, although of course that might not work.
Ive added JSFuck code for this specifically on a few occasions
DirectNIC did it to me.
You can test this by adding a file like inxed.htm (note the deliberate misspelling) in your web root folder without any links to it anywhere and seeing if you can hit it in their web server.