Simple Socket.io server for the scytale app.
The purpose of this server is to be as simple as posible and reveal as less information about the clients as possible. Thus, it doesn't need to keep a list of connected users or any other info about the clients.
The clients can exchange any information they need over the secure p2p connections they have establisthed!
For more configurations on Heroku check : https://devcenter.heroku.com/articles/node-websockets
I'm not expert in Security but I will try to use common sense :)
Here are the steps I have followed:
- Use only important 3rd party modules. This way we avoid the insecure dependencies.
- Use SSL. That is already offered by heroku. In case of self-signed certs the desktop app allows for configuring the
server-cert.pemfile. - Eliminate CORS through
socket.io#origins - Check the server at
https://securityheaders.com - Use
rejectUnauthorized: trueto avoid MITM attacks
The first user who joins a random chatroom is also the Initiator of the chatroom and needs to set a password for that room. Everyome else who wants to join the room needs to know the password. This way we make sure that we provide a first security check by randomizing the chatroom and a second one by authenticating with it.