Security¶
This covers basic security for protocols you’re serving via Channels and helpers that we provide.
WebSockets¶
WebSockets start out life as a HTTP request, including all the cookies and headers, and so you can use the standard Authentication code in order to grab current sessions and check user IDs.
There is also a risk of cross-site request forgery (CSRF) with WebSockets though, as they can be initiated from any site on the internet to your domain, and will still have the user’s cookies and session from your site. If you serve private data down the socket, you should restrict the sites which are allowed to open sockets to you.
This is done via the channels.security.websocket package, and the two
ASGI middlewares it contains, OriginValidator and
AllowedHostsOriginValidator.
OriginValidator lets you restrict the valid options for the Origin
header that is sent with every WebSocket to say where it comes from. Just wrap
it around your WebSocket application code like this, and pass it a list of
valid domains as the second argument. You can pass only a single domain (for example,
.allowed-domain.com) or a full origin, in the format scheme://domain[:port]
(for example, http://allowed-domain.com:80). Port is optional, but recommended:
from channels.security.websocket import OriginValidator
application = ProtocolTypeRouter({
"websocket": OriginValidator(
AuthMiddlewareStack(
URLRouter([
...
])
),
[".goodsite.com", "http://.goodsite.com:80", "http://other.site.com"],
),
})
Note: If you want to resolve any domain, then use the origin *.
Often, the set of domains you want to restrict to is the same as the Django
ALLOWED_HOSTS setting, which performs a similar security check for the
Host header, and so AllowedHostsOriginValidator lets you use this
setting without having to re-declare the list:
from channels.security.websocket import AllowedHostsOriginValidator
application = ProtocolTypeRouter({
"websocket": AllowedHostsOriginValidator(
AuthMiddlewareStack(
URLRouter([
...
])
),
),
})
AllowedHostsOriginValidator will also automatically allow local connections
through if the site is in DEBUG mode, much like Django’s host validation.