0

Note: This is not a duplicate. Please read the question carefully.

I'm building a chat app with socket.io; however, I have a lot of concerns about the security. Basically, anyone can connect to my namespace and get messages that are sent from the server. After reading many SO posts and looking over the web, I concluded that I need to encrypt the data.

The problem: Encryptions and decryptions need keys. I can store a private key on the server, but since everything client-side is visible to the client, how do I keep some malicious hacker from seeing the key on the client side?

I’ve looked at socket.io-encrypt, but that just confuses me even more, because it seems like the client side is also written in Node.js. The other answers on SO I either can't understand why it helps or they don't solve my problem

code
  • 5,690
  • 4
  • 17
  • 39
  • If your server has SSL/TLS enabled you should be able to just set the secure flag to true when creating the socket on the client side. – Tembero Mar 31 '21 at 18:48
  • 1
    Encryption is provided through TLS and should be enough. What you need is authentication and authorization. If you have a chat app then you likely have users which need to log in to chat. That means you can validate the session cookie on the server when the socket.io connection is established. Afterwards the server figures out which messages should be routed to the client based on the identity that socket on the server was authenticated with. It might be useful to understand which question your question is not the duplicate of. – Artjom B. Mar 31 '21 at 18:55
  • Well, it's obviously not encrypted, because I made another Node.js program and it could catch everything from my chat server perfectly with no encryption... I'm using replit.com as my platform, so I'm not sure how I can enable SSL/TLS, although my website is secure (according to Google). – code Mar 31 '21 at 19:11
  • Have you tried to connect the socket through https? When creating the socket change the start from http to https – Tembero Mar 31 '21 at 19:36
  • Well how do I set a flag on the client side, and what keeps a hacker from seeing and using the flag as well? My website was default https because I use replit (online IDE). – code Mar 31 '21 at 19:39

0 Answers0