开发者

Validating WebSocket connection sources

I'm currently developing a Google Chrome extension that connects to our servers via WebSockets, but was scared that someone will be able to blast our server with fake data, so we're looking to implement a security meas开发者_运维百科ure to prevent other sources from connecting to the server.

Is there any way in which we can integrate a security measure into the app and server in order to validate the connection comes from a Google Chrome extension?

Are there any other things that we should be aware of when doing this kind of application? Any advice is appreciated.


In the WebSocket handshake there is a "Sec-WebSocket-Origin:" header (or more recently, just "Origin:"). This is set by the browser to be the original site where the page was loaded from. You can configure the server to only accept connections from pages that originated from your site.

Note that this isn't a 100% panacea because somebody can write a WebSocket client that spoofs the Origin field (so some additional authentication method is still needed). However, it does guarantee that normal browsers run by normal people can't send you bogus data.

Also note that normal browsers could still be hijacked to take part in the DDOS attack against your site, but this is true whether the browser has WebSocket support or not. So you'll still want to take the normal measure to protect against that.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜