Enhancing Security in a now.js/socket.io chat

Question

A chat with nowjs or socket.io is one of the easiest exercises you can perform with them. I want to implement a multi-room chat (with a non-fixed number of rooms and logged user

Answer 1

Man-in-the-middle is certainly a consideration. The biggest security issue, though, would be XSS.

This useful SO thread suggests:

1. socket.io 0.8 has referrer verification built in
2. if chat is from known origin, block superfluous connections at the firewall

This very informative article suggests:

1. don't trust the client
2. use SSL encryption
3. check the origin
4. prevent XSS (sanitize client input!)
5. don't assume it's a browser

This useful thread says to set secure:true on socket.io.connect(...)

I'd recommend taking all those suggestions :)