Restrict domain access

Is there a way to restrict access to the convergence server by domain? For example, I allow anonymous users to connect to web sockets, but don’t want someone to use my endpoint bandwidth outside of my domain or ip that communicates with it. For example if the request to initiate a socket does not come from https://example.com deny it.

I’ve been looking through the documentation and can’t seem to find anything yet, any pointers?

We only implemented anonymous access as a convenience for standing up demo and toy domains, so no, we haven’t implemented any sort of access restrictions. Perhaps you could set up a reverse proxy in front of the Convergence WebSocket to do this?

We generally dissuade folks from using anonymous mode in production for this and other similar reasons.

I would add on that there is really no way to ensure a socket connection is coming from any particular domain. I assume your users would be coming from their own networks (like their homes or offices). So the remote IP address of the connection will not be within your domain. Also, depending on the browser, you might be able to see the HTTP Referrer header in the connection, but this can easily be faked in the HTTP protocol.

So I am not sure how you would achieve this in general.

Hmm…how would you recommend securing an endpoint for a chat for example? Let’s say I have a chat with a friend and the url is blah-blah to connect through the socket. Couldn’t any user outside of our chat copy the JWT (from any other chat started with another user) and then start a connection on localhost and start sending messages to our chat before the JWT expires? How would I prevent such things?