docs(config): CSWSH(Cross-Site Web-Socket Hijack) Documentation

2021-03-22 22:44:42 +01:00 · 2021-03-22 22:44:42 +01:00 · 1086c09242
parent f08ddec296
commit 1086c09242
1 changed files with 22 additions and 0 deletions
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@ -1727,6 +1727,28 @@ listener.ws.external.nodelay = true
 ## Value: single | multiple
 listener.ws.external.mqtt_piggyback = multiple

+## By default, EMQX web socket connection does not restrict connections to specific origins.
+## It also, by default, does not enforce the presence of origin in request headers for WebSocket connections.
+## Because of this, a malicious user could potentially hijack an existing web-socket connection to EMQX.
+
+## To prevent this, users can set allowed origin headers in their ws connection to EMQX.
+## WS configs are set in listener.ws.external.*
+## WSS configs are set in listener.wss.external.*
+
+## Example for WS connection
+## To enables origin check in header for websocket connnection,
+## set `listener.ws.external.check_origin_enable = true`. By default it is false,
+## When it is set to true and no origin is present in the header of a ws connection request, the request fails.
+
+## To allow origins to be absent in header in the websocket connection when check_origin_enable is true,
+## set `listener.ws.external.allow_origin_absence = true`
+
+## Enabling origin check implies there are specific valid origins allowed for ws connection.
+## To set the list of allowed origins in header for websocket connection
+## listener.ws.external.check_origins = http://localhost:18083(localhost dashboard url), http://yourapp.com`
+## check_origins config allows a comma separated list of origins so you can specify as many origins are you want.
+## With these configs, you can allow only connections from only authorized origins to your broker
+
 ## Enable origin check in header for websocket connection
 ##
 ## Value: true | false (default false)