Hacker News: skatsubo

New comment by skatsubo in "Google flags Immich sites as dangerous"

skatsubo — Thu, 23 Oct 2025 08:51:37 +0000

> This allows any member of the public with a GitHub account to deploy any arbitrary code to that subdomain without any review or approval from the Immich team.

This part is not correct: the "preview" label can be set only by collaborators.

> a subdomain of a domain that they also use for production traffic

To clarify this part: the only production traffic that immich.cloud serves are static map tiles (tiles.immich.cloud)

Overall, I share your concerns, and as you already mentioned, a dedicated "immich.build" domain is the way to go.

New comment by skatsubo in "Google flags Immich sites as dangerous"

skatsubo — Thu, 23 Oct 2025 08:41:51 +0000

G would flag _some_ instances.

Possible scenario:

- A self-hosted project has a demo instance with a default login page (demo.immich.app, demo.jellyfin.org, demo1.nextcloud.com) that is classified as "primary" by google's algorithms

- Any self-hosted instance with the same login page (branding, title, logo, meta html) becomes a candidate for deceptive/phishing by their algorithm. And immich.cloud has a lot of preview envs falling in that category.

BUT in Immich case its _demo_ login page has its own big banner, so it is already quite different from others. Maybe there's no "original" at all. The algorithm/AI just got lost among thousands of identically looking login pages and now considers every other instance as deceptive...

New comment by skatsubo in "Google flags Immich sites as dangerous"

skatsubo — Thu, 23 Oct 2025 08:21:54 +0000

Add a custom "welcome message" in Server Settings (https://my.immich.app/admin/system-settings?isOpen=server) to make your login page look different compared to all other default Immich login pages. This is probably the easiest non-intrusive tweak to work around the repeated flagging by Safe Browsing, still no 100% guarantee. I agree that strict access blocking (with extra auth or IP ACL) can work better. Though I've seen in this thread https://news.ycombinator.com/item?id=45676712 and over the Internet that purely internal/private domains get flagged too. Can it be some Chrome + G Safe Browsing integration, e.g. reporting hashes of visited pages?

Btw, folks in the Jellyfin thread tried blocking specifically Google bot / IP ranges (ASNs?) https://github.com/jellyfin/jellyfin-web/issues/4076#issueco... with varying success.

And go through your domain registration/re-review in G Search Console of course.