DEV Community

Alexander Isora πŸ¦„
Alexander Isora πŸ¦„

Posted on

Remember this when you start building a website builder

Hey, I'm Alex. I'm building a website builder (forgive the pun).

It is a very popular niche and I'm pretty sure many of you dreamed of creating such a tool.

But before you begin to consider reading about my experience.

Custom domains

My server provider is Heroku. To attach a custom domain to Heroku you need to enter their CNAME DNS record.

When I started the 'custom domain' task and discovered that Heroku requires to enter a CNAME I began panicking.

As you may know, CNAME is like mayonnaise in the world of DNS records. If you use it once you will feel only its taste and nothing else.

A CNAME DNS record force out all other including MX. That means users will not be able to use a custom domain email! It's awful!

A friend of mine recommended me an elegant workaround. I set up an AWS EC2 instance with nginx and enabled nginx proxy_pass. Thus my EC2 instance simply accepts requests from anywhere and proxy_passes it to the Heroku app.

Then I requested a static IP from AWS. The IP was intended to be used as A-type DNS records by my users.

Now my beloved users can use an MX DNS record alongside a Unicorn Platform A-type DNS record.

If you are forced to use CNAME for your clients, consider serving their websites from a www. subdomain. Thus the apex domain DNS records will remain under the client control.


I use the wonderful Certbot for Ubuntu. Certbot cares about issuing a Let's Encrypt certificate and, most important, renewing all of them.

You can buy a 100-slot certificate, but you will have to pay $2 per domain plus you need to issue a new cert per 100 domains. Another issue is that all the domains will be listed in the certificate and it will look unprofessional.

So use Certbot and you will be fine. Just note the Let's Encrypt API call limitation and don't accidentally get banned by them.


Create a list of forbidden subdomains: 'admin', 'promo', 'login', 'auth', 'www1', 'checkout' and many more. This will protect you from fraud.

How to render websites

Your websites are displayed in 2 entities: the builder itself (with editing UI) and the final version for visitors.

You can create one rendering engine for both cases. First, build a SPA - the builder - this will be the main rendering part. Your users will use it to compose and edit their pages.
Then simply use SSR (server-side rendering) to serve the built page. Do not forget to create a separate build of your SPA without the editing UI and it will be fine.

But, there are caveats. First, you will need to take care of your NodeJs server which does the SSR part. And second, the changes will not be visible immediately.

That is why I display pages in another way. I have created the builder. It's SPA which has the templates enriched with an editing UI. This SPA renders pages to my users who build websites.

Additionally, I use Django template engine to render the same pages for visitors from the Internet.

This literally doubled my work on rendering templates but it is a very reliable approach. And most important it works blazingly fast.


Consider tracking your website's bandwidth. Because traffic is not free. Some may use your application to host static content. You need to be able to quickly find out who is abusing you.

Forbidden content

People will use your free subdomain-only tier to host spammy websites with controversial content. Create a policy of what is acceptable and what is not. Use shadowban to disarm the most persistent ones.


Give your users the ability to feel the whole power of your website builder. Do not limit components, elements, styling options, integrations. Let them use the whole potential of your tool. Give them the joy in using your platform.

The more their contribution to a website is the more their will to stay with your website builder. I'm my case I charge only for branding removal and custom domains. All the other features including custom code are free.

I thought it would be fun to share this inside. Let me know if you want to learn more about the craft of building websites builders :)

Top comments (3)

dineshrathee12 profile image
Dinesh Rathee

LetsEncrypt have revoked around 3 million certs last night due to a bug that they found. Are you impacted by this, Check out ?




alexanderisora profile image
Alexander Isora πŸ¦„

Thanks for your care man.

One certificate was revoked. LE gave me a couple of days to issue a new one. So I instantly installed a fresh certificate.

dineshrathee12 profile image
Dinesh Rathee

Nice one :)