You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a SPA (React) which I build and serve statically on the same domain as the Express server. Currently I use OAuth 2.0 with auth code flow to authenticate the user and securely make API calls. I also want to ensure that the socket connection between the React app code and the Express server backend is established in a secure way. Provided that CORS is disabled and WSS is utilized, is it sufficient to expect that the connection is secure? I suspect the answer is a resounding no, but haven't been able to find an authoritative answer to this. I have come across resources like (https://devcenter.heroku.com/articles/websocket-security) which have given guidance, but I'm not sure if this is directly applicable to Socket IO.
I've been looking for best practices when it comes to initializing secure connections in Socket IO and there seem to be many references made to older documentation (https://stackoverflow.com/questions/7450445/socket-io-security-issues) however this does not exist or applies to versions < 1.0. On top of that many of the packages seem to cover this (e.g. socketio-auth, passport.socketio, etc.) seem to be either archived or unmaintained.
I assumed this would be a common question with well-established practices, but this doesn't seem to be the case. Help is much appreciated!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I have a SPA (React) which I build and serve statically on the same domain as the Express server. Currently I use OAuth 2.0 with auth code flow to authenticate the user and securely make API calls. I also want to ensure that the socket connection between the React app code and the Express server backend is established in a secure way. Provided that CORS is disabled and WSS is utilized, is it sufficient to expect that the connection is secure? I suspect the answer is a resounding no, but haven't been able to find an authoritative answer to this. I have come across resources like (https://devcenter.heroku.com/articles/websocket-security) which have given guidance, but I'm not sure if this is directly applicable to Socket IO.
I've been looking for best practices when it comes to initializing secure connections in Socket IO and there seem to be many references made to older documentation (https://stackoverflow.com/questions/7450445/socket-io-security-issues) however this does not exist or applies to versions < 1.0. On top of that many of the packages seem to cover this (e.g.
socketio-auth
,passport.socketio
, etc.) seem to be either archived or unmaintained.I assumed this would be a common question with well-established practices, but this doesn't seem to be the case. Help is much appreciated!
Beta Was this translation helpful? Give feedback.
All reactions