Pantheon Partners, Strategic Partners, Enterprise accounts, Resellers, and OEM Partners have the ability to provision a custom vanity domain for each environment on every site running on the platform, in addition to the default Platform domain (
The Vanity domain can either be a subdomain of your primary site (
sites.mydomain.com) or a dedicated domain name (
If a subdomain of your primary site is configured, a newly created site named "supersite" will then have a Dev environment URL of
dev-supersite.sites.mydomain.com. If a dedicated domain name is used, the site would instead have a Dev environment URL of
Google Top Level Domains and HSTS
In September 2017, Google announced that is was planning to make HSTS preloading mandatory for the Top-Level Domains (TLDs) available exclusively through Google Registry. That means that, moving forward, some TLDs will automatically redirect to HTTPS, and will be unable to load insecure sites or site pages. When selecting a domain to use as a custom or vanity domain, it's important to note the 45 TLDs that are subject to mandatory HSTS preloading:
.gle .prod .docs .cal .soy .how .chrome .ads .mov .youtube .channel .nexus .goog .boo .dad .drive .hangout .new .eat .app .moto .ing .meme .here .zip .guge .car .foo .day .dev .play .gmail .fly .gbiz .rsvp .android .map .page .google .dclk .search .prof .phd .esq .みんな .谷歌 .グーグル
When using one of the above domains as a vanity domain, keep in mind that every environment domain must have HTTPS provisioned or that environment's domain will be inaccessible. Because Pantheon doesn't provision HTTPS for vanity domains, this will need to be set up and managed using a custom certificate. You should also keep in mind that any Multidev environments created using a secure only TLD will need to have HTTPS provisioned before the site domain will work.
When using one of the above TLDs as a custom domain for your site, Pantheon will provision the necessary certificates if you are using Pantheon's automated Global CDN. If the site is using a custom certificate, then each custom domain needs to have the certificate provisioned by the 3rd party used to manage HTTPS for the site.
From your Organization Dashboard, go to Dashboard and submit a support request with "Request for custom Vanity domain" as the subject. You must provide the Vanity domain required on the site, like
We recommend using a separate domain from your production site. This prevents any security issues related to domain-specific cookies. Even the same domain under a different TLD (
.net, etc) would suffice.
At your DNS provider, create a wildcard A/AAAA record pointing to our edge. Using the example domain
sites.example.com, the record would need to be created as follows. Replace
X with a
See Introduction to Domain Name Services for more information about AAAA records.
If the domain in question is already in use, be sure to configure your vanity domain at Pantheon before changing DNS records to avoid any downtime.
Existing sites created before configuring a Vanity domain will continue to use the default Platform domains and will not use the custom Vanity domain.
Sites associated with your organization will receive the custom Vanity domain for all environments (including Multidev) created while the organization remains a supporting organization.
After adding a custom Vanity domain to your organization, some workflow operations such as restoring an environment from a backup or changing the PHP version, can cause site domain URLs in other environments to unexpectedly change from the Pantheon domain to the custom domain.
Environment URLs are permanent. If an organization is removed as the supporting organization, any environment created during its association will keep the original URL after removal. Paid sites can add custom domains to any environment, as a workaround for those wishing to use different URLs after launch and disassociation of the site with the organization.
Do not configure DNS for custom domains using Vanity domain values. Even after configuring a vanity domain, your custom domain records should always be
AAAArecords pointing to the platform IP addresses, as recommended within the Domains / HTTPS page. Vanity domains are designed to be viewed by end users, not added into records for other domains.
Incorrect DNS Configuration
Correct DNS Configuration
If you run sites on subdomains of your primary site (e.g.
sites.awesomeagency.com), you should be aware of some security considerations:
- Sites on the subdomains may be able to read cookies set on your primary site.
- If a site on the subdomain is reported as a malicious phishing/spam/malware site, it could prevent access to your main marketing site if Google/Norton/etc. block the site.
- HTTPS is not provisioned for vanity domains. Only custom domains will have HTTPS provisioned.
- To provision HTTPS for vanity domains, contact Sales to learn how to host your custom certificate on Pantheon.
For SEO and to prevent duplicate content, the
robots.txt file attached to the custom vanity domain will contain the following by default:
# https://live-sitename.agencyname.com/robots.txt User-agent: * Disallow: /
To present an alternate
robots.txt file from within the source code, add a custom domain to the site's Dashboard and create the appropriate DNS record.