堆栈内存溢出
  简体   繁体   English

Socket.io-标头-查询字符串-安全

[英]Socket.io - Headers - Query String - Security

 原文  2019-02-28 15:30:35       javascript/ node.js/ socket.io/ http-headers/ jwt

问题描述

I want to cover several aspects here. 我想在这里涵盖几个方面。 Let's unfold. 让我们展开吧。

I'm using Socket.io in one of my application. 我在其中一个应用程序中使用Socket.io。 While trying keeping JWT common for normal application and socket.io client, I had these thoughts. 在尝试使JWT对于普通应用程序和socket.io客户端通用时,我有这些想法。

  1. Socket.io uses HTTP(S) protocol with GET method as I found out so far. 到目前为止,Socket.io使用带有GET方法的HTTP(S)协议。 Or does it support POST too? 还是也支持POST? If so, how? 如果是这样,怎么办? If not, why? 如果没有,为什么?
  2. While number of posts claims to use query parameters to pass JWT which won't be "that bad" on HTTPS, I have resilience to do so given that a handsome amount of browser extensions typically read URLs. 尽管许多帖子声称使用查询参数来传递JWT,这在HTTPS上不会“那么糟糕”,但鉴于相当数量的浏览器扩展通常读取URL,因此我有足够的弹性。 So I'm more towards using Headers. 所以我更倾向于使用Headers。 Which, btw, is their designated job too. 顺便说一句,这也是他们的指定工作。 Or am I being mislead by little information? 还是我被很少的信息误导了?
  3. Headers brings us to next question, how headers and query strings being transported over the wire? 标头带给我们下一个问题,标头和查询字符串如何通过网络传输? Is one safer than the other? 一个比另一个更安全吗? Are headers less visible to the world while on the way? 标题在途中是否对世界不那么可见?
  4. Oh! 哦! And how do I set headers in Socket.io client ? 以及如何在Socket.io 客户端中设置标头?

Helps would be appreciated, Thanks! 帮助将不胜感激,谢谢!

PS Please make correction(s) to the post title if necessary. 附言:如有必要,请对帖子标题进行更正。

1 个解决方案

解决方案1
 -1  2019-02-28 15:54:37

1) socket.io uses websockets as the name suggests, so it should actually use the wss protocol, using polling & https is just a fallback afaik. 1)socket.io顾名思义使用websockets,因此它实际上应该使用wss协议,使用polling和https只是一个后备afaik。

2) browser extension might also read the header? 2)浏览器扩展程序可能还会读取标题吗? I don't see any advantage from one over the other. 我看不出任何一个相对于另一个的优势。

3) as 1s and 0s ? 3)作为1和0? Both are encrypted however (because of http s and ws s ). 两者都是加密的然而(因为HTTP S和WS S的)。

4) Why do you want that? 4)为什么要那样? If you want to use socket.io, just .emit() events, that's what socket.io is all about. 如果要使用socket.io,只需使用.emit()事件,那就是socket.io的全部用途。 If you don't want websockets but some self-baked solution, create your own one. 如果您不希望使用Websocket,而需要一些自行开发的解决方案,请创建自己的解决方案。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 socket.io 发出 url 查询字符串 - emit url query string using socket.io node.js(带socket.io)安全? - node.js (with socket.io) security? socket.io查询参数不起作用 - socket.io query parameter not working 在socket.io中传递字符串值 - Pass string value in socket.io Node.js + Socket.io | 在服务器上设置自定义标头 - Node.js + Socket.io | Set custom headers on the server 为什么socket.io弄乱了我的Ajax标头? - Why socket.io is messing up my ajax headers? 更改请求标头 SOCKET.IO(无需断开和重新连接) - Change request headers SOCKET.IO (without disconnecting and reconnecting) Socket.IO +表情符号 - Socket.IO + Emoji Socket.IO和Express - Socket.IO and Express socket.io错误? - Errors with socket.io?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM