Reputation: 18754
Socket.IO Client Security
I am new to Node.js and Socket.IO. According to documentation the client side code is something like:
<script src="/socket.io/socket.io.js"></script>
<script>
var socket = io('http://localhost:3000');
socket.on('news', function (data) {
console.log(data);
socket.emit('my other event', { my: 'data' });
});
</script>
It's simple and easy but although it's perfectly fine for local testing I am not sure whether is really secure on a live page since it's providing direct url and event information for the server.
Should I change client to something else (or somehow hide it?) for the live page or it's good to go the way it is ?
Upvotes: 2
Views: 476
Answers (1)
Reputation: 3803
Yes, indeed it is dangerous and not secured!
But, there are few things that you could do to enhance the security of your Socket.io
- Use HTTPS connection, this will prevent anyone from eavesdropping your socket connection
- Always authenticate your user before establishing your socket connection with your client
The link below is a good example how you can authenticate your Socket.io connection using JSON Web Token
https://auth0.com/blog/2014/01/15/auth-with-socket-io/
If you are using Session based authentication, you can implement the similiar architecture
You could also do obfuscation, you could use those minify to make your code ugly and hards for attacker to trace it, but if you would have implemented the authentication before establishing connection, it should be safe enough to expose your url!
Upvotes: 3
Related Questions
- Socket.IO socket protection without authentication
- New in Socket.io, How to prevent Socket.io client script hacking
- Socket.io Security Issues
- Authentication in Socket.io
- How do I secure Socket.IO?
- Socket.io, Security and Multiplayer
- Socket.IO HTTP - How to Secure the Configuration
- How to secure socket.io in client side?
- JavaScript, node.js and security
- Websockets, socket.io, nodejs, and security