_&quot;wss works on both http and https&quot;_ ??? This is a strange phrase.

`wss` is secure only because it means &quot;WebSocket protocol over **https**&quot;. WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just &quot;WebSocket protocol over http&quot; and &quot;WebSocket protocol over https&quot;. See also [this answer][1].

As the author of **[nv-websocket-client][2]** (WebSocket client library for Java), I also doubt the phrase _&quot;if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure&quot;_ in the answer by oberstet.

**Read [RFC 6455][3] (The WebSocket Protocol) to reach the right answer.** To become a true engineer, don&#39;t avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.


  [1]: https://stackoverflow.com/a/34554045/1174054
  [2]: https://github.com/TakahikoKawasaki/nv-websocket-client
  [3]: https://www.rfc-editor.org/rfc/rfc6455

&gt; Is a web socket secure (wss) connection still encrypted through TLS/SSL if the website/server is not?

Yes.

&gt; Are wss (Secure Web Socket) connections just as secure on an http server as they are on an https server?

Yes (see above). There is one thing to note: if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure, but an attacker might modify the HTML/JavaScript while being sent from the Web server to browser. A HTTP connection isn&#39;t protected against man-in-the-middle sniffing or modification.

if HTTPS is not deployed, try sws - secure websocket on plain http without https

https://github.com/InstantWebP2P/sws

When I execute a query via Laravel&#39;s Eloquent ORM, I want to get the row ID as the Array result key, this will make things easier when I want to check something based on an ID (using array_key_exists) or do some look ups (if I need a specific entry from the result array)

Is there any way I can tell Eloquent to set the key to the fields ID?
[![see image][1]][1]
&lt;!-- source: http://oi60.tinypic.com/kc02a8.jpg --&gt;

 [1]: https://i.stack.imgur.com/2DuBi.png

Laravel Eloquent: Return Array key as the fields ID

I have a output resulting from a timepicker giving 12 hour format of time.

    Eg : &quot;1:45 AM (or) &quot;12:15 PM&quot; as **string**

Is there a way to parse this string format to 24 hour using moment js back to date object?

Convert 12 hour (AM/PM) string to 24 Date object using moment js

I&#39;ve read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?

WS on HTTP vs WSS on HTTPS

<p>I've read that WS only works on HTTP, and that WSS works on both HTTP and HTTPS. Are WSS (Secure Web Socket) connections just as secure on an HTTP server as they are on an HTTPS server? Is a Web Socket Secure (WSS) connection still encrypted through TLS/SSL if the website/server is not?</p>


I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. ([reference][1])

Recently, I discover that JSON Web Token (JWT) is quite hot as a solution for authentication. I know the stuff about encoding, decoding, and verifying JWT. However, I don&#39;t understand why some websites/tutorials tell that there is no need for CSRF protection if JWT is used. I have read quite a lot and have tried to summarize the problems below. I just want someone to provide a bigger picture of JWT and clarify the concepts I misunderstood about JWT.

1. If the JWT is stored in a cookie, I think it is the same as cookie-based authentication except that the server does not need to have sessions to verify the cookie/token. There is still a risk of CSRF if no special measure is implemented. Isn&#39;t JWT stored in a cookie?

2. If the JWT is stored in localStorage/sessionStorage, then there is no cookie involved so don&#39;t need to protect against CSRF. The question is how to send the JWT to the server. I found [here][2] that it is suggested to use jQuery to send the JWT by HTTP header of ajax requests. So, only the ajax requests can do the authentication?

3. Also, I found one more [blog][3] that points to use &quot;Authorization header&quot; and &quot;Bearer&quot; to send the JWT. I don&#39;t understand the method the blog talks about. Could someone please explain more about &quot;Authorization header&quot; and &quot;Bearer&quot;? Does this make the JWT transmitted by HTTP header of ALL requests? If yes, what about CSRF?


  [1]: http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
  [2]: http://www.sitepoint.com/using-json-web-tokens-node-js/
  [3]: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

Where to store JWT in browser? How to protect against CSRF?

**Preface**
-----------
I&#39;m developing several web services and a handful of clients (web app, mobile, etc.) which will interface with said services over HTTP(s). My current work item is to design an authentication and authorization solution for the product. I have decided to leverage external identity providers, such as Facebook, Google, Microsoft, Twitter, and the like for authentication.

I&#39;m trying to solve the problem of, &quot;when a request comes to my server, how do I know who the user is and how can I be sure?&quot;. More questions below as well...

**Requirements**
----------------
 1. Rely on external identities to indicate who I&#39;m dealing with (&#39;userId&#39; essentially is all I care about).
 2. The system should use token-based authentication (as opposed to cookies for example or basic auth).

 I believe this is the right choice for scaling across multiple clients and servers while providing loose coupling.

**Workflow**
------------
Based on my reading and understanding of token-based authentication, the following is how I imagine the workflow to be. Let&#39;s focus for now on **Facebook in a web browser**. My assumption is that other external identity providers should have similar capabilities, though I have not confirmed just yet.

Note, as of writing, I&#39;m basing the following off of Facebook login version 2.2

1. **Client:** Initiates login to Facebook using the [JavaScript SDK](https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.2)
2. **Facebook:** User authenticates and approves app permissions (to access user&#39;s public profile for example)
3. **Facebook:** Sends response to client which contains user’s access token, ID, and signed request
4. **Client:** Stores user access token in browser session ([handled by SDK conveniently](https://developers.facebook.com/docs/facebook-login/login-flow-for-web#token))
5. **Client:** Makes a request to my web service for a secure resource by sending along the user’s access token in the authorization header + the user’s ID (in custom header potentially)
6. **Server:** Reads user access token from request header and initiates verification by sending a request to the debug_token graph API provided by Facebook
7. **Facebook:** Responds back to the server with the user access token info (contains appId and userId)
8. **Server:** Completes verification of the token by comparing the appId to what is expected (known to itself) and the userId to what was sent on the client request
9. **Server:** Responds to the client with the requested resource (assuming the happy authorization path)

I’m imagining steps 5-9 would be repeated for subsequent requests to the server (while the user’s access token is valid – not expired, revoked from FB side, app permissions changed, etc.)

Here&#39;s a diagram to help go along with the steps. Please understand this system is **not** a single page application (SPA). The web services mentioned are API endpoints serving JSON data back to clients essentially; they are not serving HTML/JS/CSS (with the exception of the web client servers).

![Workflow diagram][1]

**Questions**
-------------
 1. First and foremost, are there any glaring gaps / pit falls with the described approach based on my preface and requirements?

 2. Is performing an outbound request to Facebook for verifying the access token (steps 6-8 above) **per client request** required / recommended?

 I know at the very least, I must verify the access token coming from the client request. However, the recommended approach for subsequent verifications after the first is unknown to me. If there are typical patterns, I’m interested in hearing about them. I understand they may be application dependent based on my requirements; however, I just don’t know what to look for yet. I’ll put in the due diligence once I have a basic idea.

 For instance, possible thoughts:
    * Hash the access token + userId pair after first verification is complete and store it in a distributed cache (accessible by all web servers) with expiry equal to access tokens. Upon subsequent requests from the clients, hash the access token + userId pair and check its existence in the cache. If present, then request is authorized. Otherwise, reach out to Facebook graph API to confirm the access token. I’m assuming this strategy might be feasible if I’m using HTTPS (which I will be). However, how does performance compare?

    * The accepted answer in [this StackOverflow question](https://stackoverflow.com/questions/12065492/rest-api-for-website-which-uses-facebook-for-authentication) recommends creating a custom access token after the first verification of the Facebook user token is complete. The custom token would then be sent to the client for subsequent requests. I’m wondering if this is more complex than the above solution, however. This would require implementing my own Identity Provider (something I want to avoid because I want to use external identity providers in the first place…). Is there any merit to this suggestion?

 3. Is the signedRequest field present on the response in step #3 above (mentioned [here](https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.2#checklogin)), equivalent to the signed request parameter [here](https://developers.facebook.com/docs/facebook-login/using-login-with-games#checklogin) in the ‘games canvas login’ flow?

 They seem to be hinted as equivalent since the former links to the latter in the documentation. However, I’m surprised the verification strategy mentioned on the games page isn’t mentioned in the ‘manually building a login flow’ [page](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#confirm) of the web documentation.

 4. If the answer to #3 is ‘Yes’, can the same identity confirmation strategy of decoding the signature and comparing to what is expected to be used on the server-side?

 ![Decode &amp; compare from FB docs][2] 

 I’m wondering if this can be leveraged instead of making an outbound call to the debug_token graph API (step #6 above) to confirm the access token as recommended [here](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#checktoken):

 ![debug_token graph API from FB docs][3]
 
 Of course, in order to make the comparison on the server-side, the signed request portion would need to be sent along with the request to the server (step #5 above). In addition to feasibility without sacrificing security, I’m wondering how the performance would compare to making the outbound call.

 5. While I’m at it, in what scenario / for what purpose, would you persist a user&#39;s access token to a database for example?
I don’t see a scenario where I would need to do this, however, I may be overlooking something. I’m curious was some common scenarios might be to spark some thoughts.

Thanks!


  [1]: http://i.stack.imgur.com/KdE86.png
  [2]: http://i.stack.imgur.com/2qLdU.png
  [3]: http://i.stack.imgur.com/E7cGW.png

How should a Facebook user access token be consumed on the server-side?

If I get a [JWT](https://jwt.io/) and I can decode the payload, how is that secure? Couldn&#39;t I just grab the token out of the header, decode and change the user information in the payload, and send it back with the same correct encoded secret?

I know they must be secure, but I just would really like to understand the technologies. What am I missing?

If you can decode JWT, how are they secure?

I&#39;ve implemented a BloomFilter in python 3.3, and got different results every session. Drilling down this weird behavior got me to the internal hash() function - it returns different hash values for the same string every session.

Example:

    &gt;&gt;&gt; hash(&quot;235&quot;)
    -310569535015251310

----- opening a new python console -----

    &gt;&gt;&gt; hash(&quot;235&quot;)
    -1900164331622581997

Why is this happening?
Why is this useful?


hash function in Python 3.3 returns different results between sessions

I&#39;m building a mobile app and am using JWT for authentication.

It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.

 1. What does a refresh token look like? Is it a random string? Is that string encrypted? Is it another JWT?
 2. The refresh token would be stored in the database on the user model for access, correct? It seems like it should be encrypted in this case
 3. Would I sent the refresh token back after a user login, and then have the client access a separate route to retrieve an access-token?


JWT refresh token flow

What&#39;s the correct way to get all client&#39;s IP Addresses from `http.Request`? In `PHP` there are a lot of [variables][1] that I should check. Is it the same on Go? 

One that I found is:

    req.RemoteAddr

And is the request case sensitive? for example `x-forwarded-for` is the same as `X-Forwarded-For` and `X-FORWARDED-FOR`? (from `req.Header.Get(&quot;X-FORWARDED-FOR&quot;)`)

  [1]: https://stackoverflow.com/questions/15699101/get-the-client-ip-address-using-php

Correct way of getting Client&#39;s IP Addresses from http.Request

how is it possible to send a POST request with a simple string in the HTTP body with Alamofire in my iOS app?

As default Alamofire needs parameters for a request:


    Alamofire.request(.POST, &quot;http://mywebsite.com/post-request&quot;, parameters: [&quot;foo&quot;: &quot;bar&quot;])

These parameters contain key-value-pairs. But I don&#39;t want to send a request with a key-value string in the HTTP body.

I mean something like this:

    Alamofire.request(.POST, &quot;http://mywebsite.com/post-request&quot;, body: &quot;myBodyString&quot;)

POST request with a simple string in body with Alamofire

I&#39;m wondering if it is correct to return `HTTP 200 OK` when an error occurred on the server side (the error details would be contained inside the response body).

Example:

 1. We&#39;re sending `HTTP GET`
 2. Something unexpected happened on the server side.
 3. Server returns `HTTP 200 OK` status code with error inside a response (e.g. `{&quot;status&quot;:&quot;some error occurred&quot;}`)

Is this the correct behavior or not? Should we change the status code to something else than 200? 

Returning http 200 OK with error within response body

### Introduction ###

I&#39;ve read the following:

&gt; Hypertext Transfer Protocol (HTTP) is the life of the web. It&#39;s used every time you transfer a document, or make an AJAX request. But HTTP is surprisingly a relative unknown among some web developers.
&gt;
&gt; The HTTP verbs comprise a major portion of our “uniform interface” constraint and provide us the action counterpart to the noun-based resource. The primary or most-commonly-used HTTP verbs (or methods, as they are properly called) are POST, GET, **PUT**, and **DELETE**.

### Huh? ###

Well, we came to the point I lost track of things.

`PUT` and `DELETE`, they say. I&#39;ve only ever heard of `POST` and `GET` and never saw something like `$_PUT` or `$_DELETE` passing by in any PHP code I&#39;ve ever viewed.

### My question ###

What are these methods (PUT) and (DELETE) for and if it&#39;s possible to use them in PHP, how would I go about this.

**Note:** I know this is not really a problem but I always grab a learning opportunity if I see one and would very much like to learn to use these methods in PHP if this is possible.

HTTP protocol&#39;s PUT and DELETE and their usage in PHP

I need to set an Authorization header to an HTML5 EventSource. As Server Sent Events seems to be disused since Websockets appeared, I cannot find any useful documentation. The approach I have already found is to pass the authorization data within the url... but I don&#39;t like this method.

I am using AngularJS and set interceptors on $httpProvider, but the EventSource is not intercepted by AngularJS, so I cannot add any header.

HTTP Authorization Header in EventSource (Server Sent Events)

When developing client side javascript applications, the developer network panel is invaluable for debugging network issues:

![enter image description here][1]

How does a developer creating a NodeJS application monitor the network traffic from the nodejs application to a http/https server?  For example how to debug the following network traffic?

    var http = require(&#39;http&#39;);
    var req = http.request ...
    req.write ...
    req.send()

My code is making a call to a third party https server, so I am unable to use wireshark or similar packet sniffing tools.

For more information, the problem I am trying to investigate is [here][2].

EDIT:

Here are similar questions asking how to do the same thing in other languages:  

- PYTHON: https://stackoverflow.com/questions/10588644/how-can-i-see-the-entire-http-request-thats-being-sent-by-my-python-application
- JAVA: https://stackoverflow.com/questions/3246792/how-to-enable-logging-for-apache-commons-httpclient-on-android


  [1]: http://i.stack.imgur.com/Q6bWm.png
  [2]: https://stackoverflow.com/questions/28813523/error-socket-hang-up-using-node-v0-12-0

how to monitor the network on node.js similar to chrome/firefox developer tools?

As per the docs in Android for `SSLSocket` and `SSLContext`, TLS v1.1 and v1.2 protocols are supported in API level 16+, but are not enabled by default.
http://developer.android.com/reference/javax/net/ssl/SSLSocket.html
http://developer.android.com/reference/javax/net/ssl/SSLContext.html

How do I enable it on a device running Android 4.1 or later (but below 5.0)?

I have tried creating a custom SSLSocketFactory which enables all the supported protocols when `Socket`&#39;s are created and later use my custom implementation as:

&gt; HttpsURLConnection.setDefaultSSLSocketFactory(new MySSLSocketFactory());


    public class MySSLSocketFactory extends SSLSocketFactory {
            
            private SSLContext sc;
            private SSLSocketFactory ssf;  
            
            public MySSLSocketFactory() {
                try {
                    sc = SSLContext.getInstance(&quot;TLS&quot;);
                    sc.init(null, null, null);
                    ssf = sc.getSocketFactory();

                } catch (NoSuchAlgorithmException e) {
                    e.printStackTrace();
                } catch (KeyManagementException e) {
                    e.printStackTrace();
                }  
            }
            
            @Override
            public Socket createSocket(Socket s, String host, int port, boolean autoClose)
                    throws IOException {
                SSLSocket ss = (SSLSocket) ssf.createSocket(s, host, port, autoClose);
                ss.setEnabledProtocols(ss.getSupportedProtocols());
                ss.setEnabledCipherSuites(ss.getSupportedCipherSuites());
                return ss;
            }
    
            @Override
            public String[] getDefaultCipherSuites() {
                return ssf.getDefaultCipherSuites();
            }
    
            @Override
            public String[] getSupportedCipherSuites() {
                return ssf.getSupportedCipherSuites();
            }
    
            @Override
            public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
                SSLSocket ss = (SSLSocket) ssf.createSocket(host, port);
                ss.setEnabledProtocols(ss.getSupportedProtocols());
                ss.setEnabledCipherSuites(ss.getSupportedCipherSuites());
                return ss;
            }
    
            @Override
            public Socket createSocket(InetAddress host, int port) throws IOException {
                SSLSocket ss = (SSLSocket) ssf.createSocket(host, port);
                ss.setEnabledProtocols(ss.getSupportedProtocols());
                ss.setEnabledCipherSuites(ss.getSupportedCipherSuites());
                return ss;
            }
    
            @Override
            public Socket createSocket(String host, int port, InetAddress localHost, int localPort)
                    throws IOException, UnknownHostException {
                SSLSocket ss = (SSLSocket) ssf.createSocket(host, port, localHost, localPort);
                ss.setEnabledProtocols(ss.getSupportedProtocols());
                ss.setEnabledCipherSuites(ss.getSupportedCipherSuites());
                return ss;
            }
    
            @Override
            public Socket createSocket(InetAddress address, int port, InetAddress localAddress,
                    int localPort) throws IOException {
                SSLSocket ss = (SSLSocket) ssf.createSocket(address, port, localAddress, localPort);
                ss.setEnabledProtocols(ss.getSupportedProtocols());
                ss.setEnabledCipherSuites(ss.getSupportedCipherSuites());
                return ss;
            }
        }

But it still gives an exception while trying to establish a connection with a server on which **Only TLS 1.2** is enabled.

Here is the exception I get:

&gt; 03-09 09:21:38.427: W/System.err(2496):
&gt; javax.net.ssl.SSLHandshakeException:
&gt; javax.net.ssl.SSLProtocolException: SSL handshake aborted:
&gt; ssl=0xb7fa0620: Failure in SSL library, usually a protocol error 
&gt;
&gt; 03-09 09:21:38.427: W/System.err(2496): error:14077410:SSL
&gt; routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
&gt; (external/openssl/ssl/s23_clnt.c:741 0xa90e6990:0x00000000)

How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)

443 port is typically used for HTTPS/SSL. But is it the only option we can choose for HTTPS/SSL communication. If not, why?

Can I use another port other than 443 for HTTPS/SSL communication?

I am trying to build a web interface to Mock up a restful interface on networking device this networking device uses Digest Authentication and HTTPS.
I figured out how to integrate Digest Authentication into the web server but I cannot seem to find out how to get https using FLASK if you can show me how please comment on what i would need to do with the code below to make that happen.




    from flask import Flask, jsonify
    
    app = Flask(__name__)
    
    
    @app.route(&#39;/&#39;)
    def index():
        return &#39;Flask is running!&#39;
    
    
    @app.route(&#39;/data&#39;)
    def names():
        data = {&quot;names&quot;: [&quot;John&quot;, &quot;Jacob&quot;, &quot;Julie&quot;, &quot;Jennifer&quot;]}
        return jsonify(data)
    
    
    if __name__ == &#39;__main__&#39;:
        app.run()

can you add HTTPS functionality to a python flask web server?

I created my first repository in GitHub yesterday. When making the connection I used SSH instead of HTTPS, so I went through a little painful SSH key creation and connection process. At some point I got stuck and the connection failed. I wondered at that moment how I could revert the process I started and begin with a HTTPS connection instead. Happily, today I got the connection working through SSH but I&#39;m wondering about the value of being able to change the type of connection (SSH vs HTTPS) and if there is a way to do it.

How to change a connection to GitHub from SSH to HTTPS?

I&#39;ve recently set-up a local WebSocket server which works fine, however I&#39;m having a few troubles understanding how I should handle a sudden loss of connection which neither the client or server intentionally initiated, i.e: Server loses power, ethernet cables pulled out etc... I need the client&#39;s to know whether connection has been lost within ~10seconds.

Client side, connection is simply:

    var websocket_conn = new WebSocket(&#39;ws://192.168.0.5:3000&#39;);

	websocket_conn.onopen = function(e) {
		console.log(&#39;Connected!&#39;);
	};

	websocket_conn.onclose = function(e) {
		console.log(&#39;Disconnected!&#39;);
	};

I can manually trigger the connection disconnect which works fine,

    websocket_conn.close();

But if I simply pulled the ethernet cable out the back of the computer, or disabled the connection, `onclose` doesn&#39;t get called. I&#39;ve read in another post that it would eventually get called when [TCP detects loss of connectivity][1], but it&#39;s not in the timely manner that I need as the default for Firefox I believe is 10 minutes, and I don&#39;t really want to go around hundreds of computers `about:config` changing this value. The only other suggestion I&#39;ve read is to use a &#39;ping/pong&#39; keep-alive polling style method which seems counterintuitive to the idea of websockets.

Is there an easier way to detect this kind of disconnect behaviour? Are the old posts i&#39;m reading still up to date from a technical point, and the best method is still &#39;ping/pong&#39; style?

  [1]: https://stackoverflow.com/questions/11809267/how-do-i-know-if-connection-is-alive-with-websockets

Handling connection loss with websockets

I have, what I think to be, a very simple Spring WebSocket application.  However, I&#39;m trying to use path variables for the subscription as well as the message mapping.

I&#39;ve posted a paraphrased example  below. I would expect the `@SendTo` annotation to return back to the subscribers based on their `fleetId`.  ie, a `POST` to `/fleet/MyFleet/driver/MyDriver` should notify subscribers of `/fleet/MyFleet`, but I&#39;m not seeing this behavior.

It&#39;s worth noting that subscribing to literal `/fleet/{fleetId}` works.  Is this intended?  Am I missing some piece of configuration?  Or is this just not how it works?

I&#39;m not very familiar with WebSockets or this Spring project yet, so thanks in advance.

**Controller.java**

    ...
    @MessageMapping(&quot;/fleet/{fleetId}/driver/{driverId}&quot;)
	@SendTo(&quot;/topic/fleet/{fleetId}&quot;)
	public Simple simple(@DestinationVariable String fleetId, @DestinationVariable String driverId) {
		return new Simple(fleetId, driverId);
	}
    ...


**WebSocketConfig.java**

    @Configuration
    @EnableWebSocketMessageBroker
    public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
    	@Override
    	public void configureMessageBroker(MessageBrokerRegistry config) {
    		config.enableSimpleBroker(&quot;/topic&quot;);
    		config.setApplicationDestinationPrefixes(&quot;/live&quot;);
    	}
    
    	@Override
    	public void registerStompEndpoints(StompEndpointRegistry registry) {
    		registry.addEndpoint(&quot;/fleet&quot;).withSockJS();
    	}
    }

**index.html**

	var socket = new SockJS(&#39;/fleet&#39;);
	var stompClient = Stomp.over(socket);
	stompClient.connect({}, function(frame) {
        // Doesn&#39;t Work
        stompClient.subscribe(&#39;/topic/fleet/MyFleet&#39;, function(greeting) {
        // Works
		stompClient.subscribe(&#39;/topic/fleet/{fleetId}&#39;, function(greeting) {
			// Do some stuff
		});
	});

**Send Sample**

		stompClient.send(&quot;/live/fleet/MyFleet/driver/MyDriver&quot;, {}, JSON.stringify({
			// Some simple content
		}));

Path variables in Spring WebSockets @SendTo mapping

I have :

1. Apache 2.4 on port 80 of my server, with *[mod_proxy][1]* and *[mod_proxy_wstunnel][2]* enabled

2. Node.js + `socket.io` on port 3001 of the same server

Accessing `example.com` (with port 80) redirects to 2. thanks to [this method][3] with the following Apache configuration:

    &lt;VirtualHost *:80&gt;
        ServerName example.com
        ProxyPass / http://localhost:3001/
        ProxyPassReverse / http://localhost:3001/
        ProxyPass / ws://localhost:3001/
        ProxyPassReverse / ws://localhost:3001/
    &lt;/VirtualHost&gt;

It works for everything, except the websocket part : `ws://...` are not transmitted like it should by the proxy.

When I access the page on `example.com`, I have:

    Impossible to connect ws://example.com/socket.io/?EIO=3&amp;transport=websocket&amp;sid=n30rqg9AEqZIk5c9AABN.

Question: **How to make Apache proxy the WebSockets as well?** 


  [1]: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
  [2]: https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
  [3]: https://stackoverflow.com/a/18604082/1422096

WebSockets and Apache proxy: how to configure mod_proxy_wstunnel?

We are developing a web application that will run only on modern browsers (IE10+) for different reasons.

One of the features we implemented is Socket.io 1.x. However, by default the Socket.io client tries to support older browsers, so it starts a connection with long polling and then updates that to WebSockets. This is a waste of time and resources, given we know for sure the browser supports WS.

I&#39;ve searched around, and I can only find [this wiki page][1] which, however, is about Socket.io 0.9.

Eventually, I found [the documentation for engine.io-client][2] (on which Socket.io-client is based on the 1.x branch). This is the code that I wrote and *seems* to be working. However, I would like to know if it&#39;s correct or if I&#39;m doing something wrong:

    io.connect(&#39;https://...&#39;, {
        upgrade: false,
        transports: [&#39;websocket&#39;]
    })

Weirdly, just setting the `transports` property to an array with `websockets` only wasn&#39;t enough; I also had to disable `upgrade`. Is this correct?

### Update
I made some new discoveries.

With `transports` set to `[&#39;websocket&#39;]` only, it doesn&#39;t make any difference wether `upgrade` is enabled or not. Is that normal?


  [1]: https://github.com/Automattic/socket.io/wiki/configuring-socket.io
  [2]: https://github.com/Automattic/engine.io-client#methods

Content Type	Original Author	Original Content on Stackoverflow
Question	Isaac	View Question on Stackoverflow
Solution 1 - Security	Takahiko Kawasaki	View Answer on Stackoverflow
Solution 2 - Security	oberstet	View Answer on Stackoverflow
Solution 3 - Security	sequoiar	View Answer on Stackoverflow

WS on HTTP vs WSS on HTTPS

Security Problem Overview

Security Solutions

Solution 1 - Security

Solution 2 - Security

Solution 3 - Security

Convert 12 hour (AM/PM) string to 24 Date object using moment js

Laravel Eloquent: Return Array key as the fields ID

Attributions