web-security

Drew Verlee 2022-08-12T00:55:28.258309Z

I ended just restricting the origin, which seemed easier to implement and just as secure. Maybe that token was a method before that was an option? Unclear.

Dave Russell 2022-08-17T09:05:54.973249Z

Not sure if this relates to your immediate problem but > the login depends on the websocket connection The origin is forgeable for websocket connections 🙂

Drew Verlee 2022-08-17T13:47:20.202269Z

@david.russell What i think is being protected by the server checking the origin is an http upgrade to ws request with a different (malicious) origin, that could exposed auth information in cookies. > The origin is forgeable for websocket connections Can you be explain more? I turned off the token because it was throwing errors for reasons i haven't gotten around to understanding, if you think that causes an issue i would love to know.

Dave Russell 2022-08-17T14:02:08.361309Z

Sure -- I don't really have the context for your immediate problem but here's some reading that may be interesting 🙂 https://devcenter.heroku.com/articles/websocket-security#origin-header > However, remember that the Origin header is essentially advisory: non-browser clients can easily set the Origin header to any value, and thus “pretend” to be a browser. Meaning that if you're using the Origin header as some kind of security check on your backend, it can easily be forged by a malicious client

Drew Verlee 2022-08-17T14:07:00.372869Z

interesting, this is frustrating because of the massive amount of emphasis put on the origin.

Drew Verlee 2022-08-17T14:08:18.047349Z

i really should just use keycloak and just follow instructions verbatim.

Drew Verlee 2022-08-17T14:16:28.380219Z

could a non-browser client make a get request and get all the session cookies though?

Drew Verlee 2022-08-17T14:28:54.854509Z

Yea, i think it's safe. the malicious client can spoof the origin, but it won't get the cookies then, because it's not making the request from the browser which has them.

Drew Verlee 2022-08-17T14:30:06.400419Z

i mean, i would like to add the token, it's frustrating that i can't figure out why it's failing. But i'll circle back to it...

Drew Verlee 2022-08-17T14:33:08.146239Z

I added a comment to the old https://github.com/ptaoussanis/sente/pull/338 on senti about the concern, just to see if anyone can clarify.

Drew Verlee 2022-08-17T14:37:56.628209Z

For my use case, this bit summarizes the whole thing nicely: > A non-browser client, however, cannot access the session cookies stored in your browser. Even if the attacker spoofs Origin, their request will be denied because they’re not authenticated. > from https://dev.solita.fi/2018/11/07/securing-websocket-endpoints.html