0

i've made some chat application in Node.js with now.js. And now I think up about something. There are two files.. server.js, and client.js and everyone can steal client.js file and run it on another hosting to get benefits of my server.js work. How can I prevent it?

This is about that client.js connect with host by domain and port:

window.now = nowInitialize("http://address.com:6564");

How make it more secure, for example only clients (js files) from my host(address.com) can connect with my host.

ElSajko
  • 1,612
  • 3
  • 17
  • 37
  • 1
    Take a look at this question: http://stackoverflow.com/questions/8618448/enhancing-security-in-a-now-js-socket-io-chat – Fabian Becker Jul 26 '12 at 09:07
  • this is about XSS attacks. I asked about that someone can copy my client and use it as him own. And server don't know about it. – ElSajko Jul 26 '12 at 09:12

2 Answers2

3

If your concern is that other servers can use your server with the client code: this should not be an issue because of the Same Origin Policy. Only if your server specifically allows it, will clients from other hosts be able to communicate with it.

Just try it out from a different domain name (or even localhost): you will see your browser won't let you make cross-domain requests.

(As an example, you can see this StackOverflow post were a user could not get Socket.IO working over different host/post combinations.)

UPDATE

It would work like this:

enter image description here

Community
  • 1
  • 1
Ruben Verborgh
  • 3,545
  • 2
  • 31
  • 43
  • Ah yes. Right. Thanks. I was unclear on how to check the origin of the client if copied to another domain. But actually the browser will automatically send it and check with the "OPTION" request to the webserver whether it's allowed or not. Yes I believe that would work... I used CORS many times but still feel a little bit unsecure to rely on client browser trust. However, in everyday life, that is a good and secure technic. – nembleton Jul 29 '12 at 04:55
  • I suppose that would answer the question. But I'm not sure the question asker was satisfied with the answer. (or read it at all). For Browsers, yes, they're all making things safe ( indeed it becomes a pain ). I was just mentioning about "self compiled" browsers. – nembleton Jul 29 '12 at 10:13
0

How does your users get authentified into you chat? Is there a registration or anything?

Maybe a token or a secure key would do it? Or a secure cookie ( sorry ... but at least invisible to the user ) with the said token? And without a token you couldn't access your services?

nembleton
  • 2,392
  • 1
  • 18
  • 20