9

In this answer, it is suggested that it is not safe to use --wsorigins="*" for security reasons. What are the security reasons?

=> How could I make WS-RPC server connection secure in geth?

If I use following flags, would it be enough for security: --ws --wsaddr="127.0.0.1" --wsorigins "*"; where I have replace -wsaddr="0.0.0.0" with -wsaddr="127.0.0.1" in order to connect only from localhost.

--wsaddr value WS-RPC server listening interface

--ws Enable the WS-RPC server

--wsorigins value Origins from which to accept websockets requests

Community
  • 1
alper
  • 8,395
  • 11
  • 63
  • 152

2 Answers2

1

As a general rule of thumb, any open port is a security risk. The best way to prevent an attack by malicious actor would be to have no doors and no windows.

Specifically, in blockchain nodes, the risk is stealing funds from the account the node operates, or just overloading your node with requests.

So by default, the node listens only to localhost loopback interface, so you'll be able to connect locally using either localhost or 127.0.0.1 IP from the server itself.

If you wish to connect from another device on the same LAN, you can bind the node to its LAN IP address, such as 192.168.1.6, it will then listen only on this local IP and shouldn't be listening to your public internet IP.

By using --wsorigins="*" you connections from any interface to be accepted, even ones coming from the internet, which unless you have a router blocking these - is risky.

If you have a well configured firewall and filter ports properly, your machine should be safe from external internet access and can safely use --wsorigins="*", but again - that's only if you know what you're doing.

Kof
  • 2,954
  • 6
  • 23
0

You can try to whitelist your dApp IP/domain

Example:

geth --http --http.corsdomain <YOUR IP or DOMAIN>

All information you can find here

Sergej Müller
  • 1
  • 1