I'm using Xano with a custom domain (api.xxxx.com) proxied through Cloudflare for security purposes. When serving public files (vault), I expect the files to load via our custom domain (https://api.xxxx.com/vault/...).
However, when inspecting network requests in the browser console, these files are loaded directly from:
bash https://storage.googleapis.com/xxx-wwww-yyy.n5.xano.io/vault/...this happens since xano is redirecting the request to orginal domain "unmasked" i know its hitting google server and they can handle a DDos but this behavior exposes our underlying Xano domain (xxx-wwww-yyy.n5.xano.io) and completely bypasses our Cloudflare proxy, potentially raising security concerns.
Questions:
Is this standard Xano behavior, or is it considered a bug/security issue?
Is there a recommended way to consistently enforce serving public files from our custom domain and Cloudflare setup without leaking the original domain? EDIT----just figured this might be the fix with a worker handling the request and hidding the url
Any insights or suggestions to resolve or mitigate this issue would be appreciated!