Enforce subdomain ownership: not working with subdomains

vanyatwo · October 26, 2025, 11:50am

I have plenty of developers, working solo on simultaneous projects with WordPress.

Each of the developers has the own dev* account. E.g. dev1, dev2, etc.

For each developer, I have created web domain s*.stage.domain.com. E.g. s1.stage…, s2.stage…, etc.

I wanted to limit developers to create only their own s.stage subdomains, like project1.s1.stage.domain.com, so the developer could not create the project under mask of another developer. E.g. dev1 could create only .s1.stage… subdomains.

But it is not working.

as a dev3, I can create project.s2.stage, while s2.stage web domain exists under dev2 account.

nu01 · October 26, 2025, 11:58am

Hellos.

Go to server settings (cogwheel) > configure > click security > policies > enforce subdomain ownership (set to YES).

vanyatwo · October 26, 2025, 12:09pm

it is enabled, and it is fresh install

nu01 · October 26, 2025, 12:19pm

How were domains created in each of the user. Also, maybe show what is the current setup?

Anything shows in logs?

Ohh, and try to set enforce to NO, save, and then reset to Yes, save. See if this helps.

Raphael · October 26, 2025, 12:20pm

set it to no, yes is the default.

nu01 · October 26, 2025, 12:21pm

But OP wants to enforce sub-domain ownership. Or am I reading it incorrectly?

Raphael · October 26, 2025, 12:28pm

Ah, got it, not sure but enforce ownership targets mainly the domain itself and not subdomains.

vanyatwo · October 26, 2025, 12:30pm

How were domains created in each of the user. Also, maybe show what is the current setup?

Manually, I’ve created a web domain s*.stage.domain.com for each user dev*.

By this, I wanted to protect subdomains *.s*.stage.domain.com for each user.

Anything shows in logs?

Please, advise me on where to check it.

Also, tried disabling and re-enabling the option enforce subdomain ownership - didn’t work.

vanyatwo · October 26, 2025, 12:31pm

Ye, seems like. Is there any option to create user field “domain mask” to whitelist allowed domains?

nu01 · October 26, 2025, 12:38pm

Try with CLI: CLI Reference | Hestia Control Panel

v-delete-web-domain-allow-users admin ``admin.com

Also, a related (probably) issue: Problem with subdomain

vanyatwo · October 26, 2025, 12:46pm

v-delete-web-domain-allow-users admin ``admin.com

Tested, didn’t work.

nu01 · October 26, 2025, 12:47pm

Okay, seems some issues with your end. Provide some logs please. Will help.

BTW: what is your hestia version?

sahsanu · October 26, 2025, 10:04pm

As @Raphael already said, Hestia doesn’t support what you want to do.