TsgcWebSocketHTTPServer.SecurityOptions
Click here to see this page in full context

TsgcWebSocketHTTPServerProperties › SecurityOptions

SecurityOptions Property

Defines handshake admission rules: allowed origins and RFC 6455 handshake validation.

Syntax

property SecurityOptions: TsgcWSSecurity_Options read FSecurityOptions write SetSecurityOptions;

Members

NameDefaultDescription
OriginsAllowed""Comma-separated whitelist of origins accepted for browser WebSocket handshakes. Empty allows all origins.
EnforceWebSocketVersionTrueRejects an RFC 6455 handshake whose Sec-WebSocket-Version is not 13.
ValidateWebSocketKeyTrueRejects an RFC 6455 handshake whose Sec-WebSocket-Key is not a valid 16-byte base64 nonce.

Remarks

Use OriginsAllowed to lock down which origins the server accepts WebSocket handshakes from. By default all origins are allowed; any non-empty value enables a whitelist and the server closes connections whose Origin header does not match. Patterns accept wildcards for the port (for example http://127.0.0.1:5555 for a single origin or http://127.0.0.1:* to accept any port on that host). Separate multiple origins with commas. Setting OriginsAllowed to an empty string restores the permissive default.

EnforceWebSocketVersion and ValidateWebSocketKey harden the WebSocket upgrade itself and are enabled by default. When EnforceWebSocketVersion is active the server answers a handshake that requests a version other than 13 with HTTP 426 Upgrade Required and a Sec-WebSocket-Version: 13 header, instead of completing the upgrade. When ValidateWebSocketKey is active the server rejects with HTTP 400 Bad Request any handshake whose Sec-WebSocket-Key is missing or is not a 24-character base64 value that decodes to 16 bytes, as required by RFC 6455. Both checks apply only to the RFC 6455 path, so legacy Hixie76 clients are unaffected. Set either to False only if you must interoperate with a non-conformant client.

The same options are available on TsgcWebSocketServer and the http.sys server TsgcWebSocketServer_HTTPAPI. To bound the size of inbound messages see MaxMessageSize.

Example


oServer := TsgcWebSocketHTTPServer.Create(nil);
oServer.SecurityOptions.OriginsAllowed := 'http://127.0.0.1:*';
oServer.SecurityOptions.EnforceWebSocketVersion := true;
oServer.SecurityOptions.ValidateWebSocketKey := true;
oServer.Active := true;

Back to Properties