I'd like to set up a self-hosted Ghost.org blog for a SaaS. I have two options: - example.com/blog - blog.example.com

Everywhere I read they recommend the /blog for SEO. However, I'm concerned about the security considerations of such setup.

First, the cookies. Do I have to worry about them?

The existing cookies for the SaaS have: - domain specified - path as / - HttpOnly - Secure - SameSite: Lax

Is there any chance that Ghost.org blog at /blog can potentially access or modify the SaaS app's cookies?

My other concern is if someone is able to upload anything into blog. It's not supposed to happen, but there is a member interface for Subscribe/Unsubscribe on Ghost.org, which means that theoretically they could find a way to upload some file. If not today, then maybe in the future.

Anything else I need to be concerned about in the /blog scenario?