2

I am new to Node.JS , and this question might be a bit trivial . I am using something like this on the client side :-

 var sock = io.connect('http://www.mydomain.com:3000');
          sock.on('connect', function () {
                console.log("Connected successfully");
                sock.emit("_rK",{});
          });

My question is : How do i prevent cross domain connections ? Or simply , how do i prevent users from connecting to the web socket without using the website ?

According to this : Cross-domain connection in Socket.IO , cross domain connections are allowed in socket.io .

Community
  • 1
  • 1
AnuragD
  • 327
  • 3
  • 15

3 Answers3

2

You may find origins option useful (wiki page):

server.js:

io.set('origins', 'www.mydomain.com:3000');

You can find more information about origins format here.

Community
  • 1
  • 1
Oleg
  • 22,300
  • 9
  • 68
  • 84
  • Is it secure ? Or can it be spoofed ? – AnuragD Feb 22 '14 at 17:01
  • It relies on `origin` (or `referer`) request header, so in browser it's ok. But the attacker may send fake header via `curl` or something. If you want to prevent this kind of attacks, you need to implement authentication system with [CSRF](http://owasp.com/index.php/CSRF) protection – Oleg Feb 22 '14 at 17:08
  • @Oleg I am doing it like this, is it okay? io.origins((origin, callback) => { if (origin.indexOf('myserver.com') === -1) { console.log('denied request to socket io from this origin ' + origin); return callback('origin not allowed', false); } // console.log("allowed access to socket io from this origin " + origin); callback(null, true); }); sOME other website is still able to connect to my chat site users. how do i stop that? – Faizan May 23 '19 at 12:58
0

You could check for the originating url at the time of socket connection on the server. But that is not much safe and can easily be spoofed.

A technique that I use to verify web sockets is to send a token to the client and append it to the url of the socket server like this

ws://mysocket.server/token or ws://mysocket.server?token="somerandomtoken"

and then verify this token at the time of socket connection once. If the token can not be verified the server simply refuses the socket connection.

Akshat Jiwan Sharma
  • 15,430
  • 13
  • 50
  • 60
  • On what basis do you check the token ? You must've stored them against the user's ip/user-agent . If so they can be spoofed too , right ? So basically i just need the tokenized url to connect to the socket server . – AnuragD Feb 22 '14 at 16:43
  • yes I think random tokens are best way to do this. You only need this once while authenticating the socket. – Akshat Jiwan Sharma Feb 22 '14 at 16:52
  • 1
    But you would send the token to the client, how do you know it's the authorised client? – A bit new Jul 09 '16 at 13:37
0

Easy and security!

In the main file place it before io.on('connection'), add the lines:

io.set('origins', 'yoursite.com:*');

io.on('connection', function (socket) {
  • I am doing it like this, is it okay? io.origins((origin, callback) => { if (origin.indexOf('myserver.com') === -1) { console.log('denied request to socket io from this origin ' + origin); return callback('origin not allowed', false); } // console.log("allowed access to socket io from this origin " + origin); callback(null, true); }); – Faizan May 23 '19 at 12:57