From 1086c09242a805795359617b66ddaeb3b1aa71d2 Mon Sep 17 00:00:00 2001 From: "ayodele.akingbule" Date: Mon, 22 Mar 2021 22:44:42 +0100 Subject: [PATCH] docs(config): CSWSH(Cross-Site Web-Socket Hijack) Documentation --- etc/emqx.conf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/etc/emqx.conf b/etc/emqx.conf index 4a953ddb4..812fe2159 100644 --- a/etc/emqx.conf +++ b/etc/emqx.conf @@ -1727,6 +1727,28 @@ listener.ws.external.nodelay = true ## Value: single | multiple listener.ws.external.mqtt_piggyback = multiple +## By default, EMQX web socket connection does not restrict connections to specific origins. +## It also, by default, does not enforce the presence of origin in request headers for WebSocket connections. +## Because of this, a malicious user could potentially hijack an existing web-socket connection to EMQX. + +## To prevent this, users can set allowed origin headers in their ws connection to EMQX. +## WS configs are set in listener.ws.external.* +## WSS configs are set in listener.wss.external.* + +## Example for WS connection +## To enables origin check in header for websocket connnection, +## set `listener.ws.external.check_origin_enable = true`. By default it is false, +## When it is set to true and no origin is present in the header of a ws connection request, the request fails. + +## To allow origins to be absent in header in the websocket connection when check_origin_enable is true, +## set `listener.ws.external.allow_origin_absence = true` + +## Enabling origin check implies there are specific valid origins allowed for ws connection. +## To set the list of allowed origins in header for websocket connection +## listener.ws.external.check_origins = http://localhost:18083(localhost dashboard url), http://yourapp.com` +## check_origins config allows a comma separated list of origins so you can specify as many origins are you want. +## With these configs, you can allow only connections from only authorized origins to your broker + ## Enable origin check in header for websocket connection ## ## Value: true | false (default false)