I'm developing a real-time web app that uses socket.io. My concern is when loading the socket.io js file through this <script>/socket.io/socket.io.js</script> in the client side it exposes the io instance as a global object. Now if you open up chrome developer tools, you can now create a connection to the server with
var socket = io.connect();
anyone can now emit events and send malicious data to your server that is listening to client emitted events. I have this in my client code as an example:
(function (sio) {
var socket = sio.connect();
// some code here...
// once a user submitted the comment, it will emit an comment:create event to the
// server
socket.emit("comment:create", comment);
}(io));
in chrome developer tools, I could create a connection and then emit the same event with some malicious arguments that could potentially crash my app like passing a null as the second argument. Is there a way to prevent such issue?
EDIT: My current solution is creating a local copy of the io instance in my client side code and then setting the global io object to null to prevent another connection be made.
Have your server side code create some sort of (fairly random) token when a client makes its initial (HTTP) connection and store it as a session variable. Require that the client include the token as part of every socket.io message it sends, and reject any messages that don't match.