Improved chat security now.js / socket.io

Question

Improved chat security now.js / socket.io

Chatting with nowjs or socket.io is one of the easiest exercises you can do with them. I want to implement multi-room chat (with an unlimited number of rooms and registered users) using nowjs Group objects.

I have not worked with WebSockets yet, and I want to know what security issues exist. For example, how often do I have to authenticate?

Is it possible for an attacker to “capture” the socket.io connection and how to prevent it?

What other security traps might be affected?

+4

node.js socket.io nowjs

Lanbo Dec 23 '11 at 16:37

source share

1 answer

Kato · Accepted Answer · 2011-12-23T17:09:28+0000

Man-in-the-middle is certainly a consideration. However, the biggest security issue will be XSS.

This useful SO stream offers:

socket.io 0.8 has a built-in referrer function
if the chat is from a known source, block unnecessary connections on the firewall

This very informative article suggests:

do not trust the client
Use SSL Encryption
check origin
prevent XSS (sanitize client input!)
do not consider it a browser

This useful thread says to set secure: true to socket.io.connect (...)

I would recommend accepting all these suggestions :)

Improved chat security now.js / socket.io

More articles: