Summary
When linking a custom domain to a Replit app, the app remains accessible via both the custom domain and the default .replit.app domain. There’s currently no way to disable the Replit-provided URL.
Request
Add an option to disable or hide the default .replit.app domain once a custom domain is connected.
Reasoning
-
Improves branding and professional appearance by allowing apps to be accessible only through their own domain.
-
Reduces security and user confusion risks caused by multiple active URLs.
-
Matches behavior of other hosting platforms (e.g. Vercel, Netlify) that let developers limit access to one domain.
Suggested Implementation
A toggle in domain settings:
“Disable default .replit.app domain when using a custom domain.”
I’d imagine it’s required as it’s part of the config/forwarding through the custom domain system.
It isn’t required. I have a single line of code in my apps that gives a 403 if user tries the replit domain. Own domain is allowed through. Configured from a secret, so can re-enable if ever needed.
It still may be required in the back-end config as a routing method, on a different layer.
Share the line, Steve, geesh!
Had it in my core ADK for a few months and built several apps with it - they all work 
BTW, the reason I added this was an old discussion in here about someone getting floods of bot traffic to their replit domain, and no way to turn it off. Whereas, my domains go via Cloudflare and so bot traffic is fairly well filtered by them.
Remember, I am no longer writing code, Agent does it all, so feel free to blame it if this is wrong.
// this is from the very top of index.ts file
import express, { type Request, Response, NextFunction } from "express";
import { registerRoutes } from "./routes";
import { setupVite, serveStatic, log } from "./vite";
import { setupAdminRoutes } from "./admin";
import fs from "fs";
import path from "path";
const app = express();
// Trust proxy headers (required for correct protocol detection behind proxies like Cloudflare/Replit)
app.set('trust proxy', true);
// Block replit.app domain entirely - can be useful to prevent bot traffic
app.use((req, res, next) => {
const host = req.get('Host') || '';
if (host.includes('replit.app')) {
// Check if production domain access is enabled via secret
const isProdAccessEnabled = process.env.REPLIT_PROD_DOMAIN_ACCESS === 'true';
if (!isProdAccessEnabled) {
return res.status(403).send('Domain access blocked');
}
}
next();
});
2 Likes
I’m used to asking the agent to set up a 301 redirect from the Replit domain to my custom domain, and it works perfectly for me in multiple projects…