Put admin dashboard and used graphql queries/mutations on separate domain/path

[ideallical]

Currently both the client code as the backend code is hosted on the same domain. E.g. talk.example.com However, it would be nice to be able to put the admin part behind VPN, e.g talk-admin.example.com This is of course possible with some routing tricks, however, the admin still uses the same graphQL endpoints as the public client which have to stay public, so the admin would still not be fully behind VPN.

I'd like to increase security, by being able to host the admin part of coral talk and it's queries/mutations separately from the client part.

Search Terms

admin, cms, security, route, routing, domain, subdomain, vpn, internal network

Suggestion

Make it easy by given separating the graphql into 2 parts, one for the admin and one (slimmed down one) for the public. You can still use both on one domain, but if preferred you now have the choice to host the admin part more secure behind VPN/whitelisted ips.

Use Cases

To only allow access to the admin of talk if you're on an internal network of a company.

Now that I finished writing this, its probably still security through obscurity, as yes, you won't able to access the admin without vpn, but there are still endpoints public that have write access.

What are your thoughts on this?