Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

hello, where do we specify in the ory console that the cookie session should only work for specific subdomains and not ALL subdomains. For example, i want the session cookie to only work on `<http://api.website.com|api.website.com>` and `<http://app.website.com|app.website.com>` but not on other subdomains like `<http://blog.website.com|blog.website.com>` or `<http://stats.website.com|stats.website.com>` etc...? where do we configure that? *(in other words, how do you protect against session hijack attacks from a compromised subdomain?)*

<https://www.ory.sh/docs/kratos/guides/configuring-cookies#session-cookies>

be explicit in the domain.