I’m currently in the design stage of a web app that will be set up at the organization level, with the end-user admin managing their own users and policies. Each organization will get the same features but their data will be completely separate, and each will have their own MongoDB database on the server. The server will be written in Node and run in Docker.
I’m trying to decide between having a subdomain (like slack does, ex. yourteam.myapp.com) or having everything run through a single domain (like when you sign into a Google Apps account). I’m wondering if there are security or caching implications for doing the latter, which I’d otherwise do to keep things simpler on my end. For example, if users can upload HTML documents (ex. yourteam.myapp.com/docs/01.htm) would the separate domains prevent a cross-team scripting attack?