Does Mosquitto through websocket validate origin?

I am using Mosquitto with Paho Javascript via Websockets. Does the Websocket that Mosquitto provides avoid Cross-Site WebSocket Hijacking attacks by validating the origin?

Not at the moment, I’m afraid. I’ve just implemented this for the next feature release though, if you’d like to test it out I can tell you how.

Regards,

Roger

1 Like

Super!

Yes, please let me know how can I test it.

Sorry for the delay replying!

We don’t provide packages for the development versions, so you’d have to compile yourself.

The very simplified process on Linux would be:

git clone https://github.com/eclipse/mosquitto
cd mosquitto
git checkout develop
make WITH_WEBSOCKETS=yes

That doesn’t handle dependencies though. On Ubuntu you’d need to run apt install libwebsockets-dev libssl-dev make gcc xsltproc libcjson-dev docbook-xsl build-essential`. On other systems it would be different.

If you’re not on Linux let me know and I’ll do what I can to help.

Regards,

Roger