Harden websocket server against abuse
This commit is contained in:
24
README.md
24
README.md
@@ -53,3 +53,27 @@ $env:APP_PORT=9090; npm start
|
||||
- The server keeps games in memory only.
|
||||
- If an opponent closes their window, the remaining player sees a disconnect error and waits for a new player.
|
||||
- No build step is required.
|
||||
|
||||
## Hardening Knobs
|
||||
|
||||
The server is intentionally small, but it rejects common abuse cases:
|
||||
|
||||
- static files are served from an allowlist only
|
||||
- HTTP responses include basic browser security headers
|
||||
- WebSocket upgrades are origin-checked
|
||||
- clients, clients per IP, message size, and message velocity are capped
|
||||
- moves are validated server-side before being relayed
|
||||
- the Compose container runs as non-root with a read-only filesystem and dropped capabilities
|
||||
|
||||
Optional `.env` settings:
|
||||
|
||||
```text
|
||||
APP_PORT=8787
|
||||
ALLOWED_ORIGINS=https://tic.sketchferret.com
|
||||
MAX_CLIENTS=200
|
||||
MAX_CLIENTS_PER_IP=12
|
||||
MAX_MESSAGES_PER_WINDOW=40
|
||||
TRUST_PROXY=true
|
||||
```
|
||||
|
||||
Use `TRUST_PROXY=true` only when the app is behind a reverse proxy that sets `X-Forwarded-For`.
|
||||
|
||||
Reference in New Issue
Block a user