Feedback justinsforge never public
NEVER put a public, unauthenticated endpoint on a *.justinsforge.com hostname. Justin called this out 2026-06-09 ("justinsforge is an attack vector that should never be public") after I exposed unsubscribe.justinsforge.com with no auth.
Why: justinsforge.com is Justin's private command center (forge backend, dashboards, agent surfaces). Exposing an unauthenticated endpoint on it reveals the domain to the public/attackers and breaks the security posture. Cloudflare-Access-gated dashboards on justinsforge.com are fine (auth required); fully public/no-auth endpoints are not.
How to apply: Any service that the internet or email recipients must reach WITHOUT auth (unsubscribe pages, public webhooks, callbacks, tracking pixels, public APIs) goes on a brand/public domain (gusoutdoor.co, shopnovadesign.com, sipnservesociety.com, justinwieb.com, gusthebass.com, etc.), not justinsforge.com. One shared backend service is fine; just front it with brand-domain hostnames. Example: the email engine's unsubscribe endpoint runs on Console:8094 but is exposed as unsubscribe.<brand-domain> per brand (matching the sending domain, which is also better for deliverability). Related: [[feedback_home_button_on_subdomains]].