Bidders that need to change whole-hostname parameter

[bretg]

An email was sent to the pbs-adapters mailing list in October outlining an issue that the Prebid Server committee is now going to take up.

Some adapters are using a dynamic endpoint domain as a bidder parameter. Prebid Server is not an open proxy. If necessary, you may specify a portion of the domain as a parameter to support geo regions or account specific servers. However, this is discouraged and may degrade the performance of your adapter since the server needs to maintain more outgoing connections. Host companies may choose to disable your adapter if it uses a dynamically configured domain.

For example, this auction endpoint URL is no longer allowed:

https://{{host}}/getbids

Why? Because the domain name is entirely dependent on an incoming parameter that could be spoofed, causing Prebid Server to make requests anywhere on the internet unless the host company takes pains to block that behavior.

This one is better:

https://{{host}}.example.com/getbids

Here, spoofed parameters can't do as much damage.

However, even this is only necessary if a bidder insists on publisher-specific domains. So let's talk about tracking. It's understandable that bidder endpoints will want to track publishers and the source Prebid Server. But publishers should be tracked within the ORTB2 body, e.g. as $.site.publisher.id. Our recommendation is that bid adapters design their auction endpoints so that publisher is an internal value rather than being on the URL.

PBS host config can be different for each host company
https://auction.example.com/getbids?pbs-source=magnite

Note that PBS host companies have the ability to support region-specific endpoints. For instance, if you have bidder endpoints in EU and US, you can work with the various PBS host companies running your adapter to deploy different configuration pointing properly to these endpoints.

Here are the adapters that currently utilize parameters that define the entire hostname

• adkernel / adkernelAdn uses http://{{.Host}}/hb?zone={{.ZoneID}} - heads up @ckbo3hrk
• adocean uses https://{{.Host}} - heads up @mmuras
• datablocks/zeroclickfraud uses http://{{.Host}}/openrtb2?sid={{.SourceId}} - heads up @htang555
• invibes uses https://{{.Host}}/bid/ServerBidAdContent - heads up @invibes
• tappx uses http://{{.Host}} - heads up @prebidtappx , @ah-tappx
• yeahmobi uses https://{{.Host}}/prebid/bid - heads up @zhaojp and @junping.zhao

Here's the goal: documentation about the whole-{{Host}} parameter is gone as of April 1, 2022. New customers start using a different approach.

There are lots of ways to make that happen. The preferred method is to stop depending on dynamic hostnames entirely.

But assuming that's not going to be possible for some of you, here's a suggested approach:

1. Create and document a new parameter called "serverHost" that new customers would use, removing reference to the whole-Host parameter.
2. Update your adapter to build {{Host}} out of "serverHost"
3. To support your legacy customers, you can still support the "Host" parameter in the request.
4. Then you can start working with legacy customers to change them from using Host to serverHost.
5. Once that change is complete, your adapter can drop support for "Host" entirely

I'll be reaching out to each company via email as well to work through this. Thanks for your attention to this matter.

[bretg]

Closing as duplicate of #2612