Server

Security

API signatures, origin restrictions, TLS, and transport hardening.

API Request Authentication

/apps/* HTTP endpoints enforce signed query authentication with HMAC-SHA256 signatures.

Use:

strict clock sync
HTTPS in production
server-side secret storage only

Channel Authorization

Public channels: no auth.
private-* / presence-*: auth signature required.
Presence requires channel_data with user_id.

If enable_user_authentication is on, pusher:signin must use signed auth with signed user_data.

Origin Validation

Per-app allowed_origins can restrict WebSocket origins.

Supported patterns include:

exact domains (app.example.com)
protocol-specific (https://app.example.com)
wildcards (*.example.com)
explicit ports (localhost:3000)

If origin validation is configured and origin is missing or disallowed, connection is rejected.

CORS

HTTP CORS is configurable separately from WebSocket origin checks:

{
  "cors": {
    "origin": ["https://app.example.com"],
    "methods": ["GET", "POST", "OPTIONS"],
    "allowed_headers": ["Authorization", "Content-Type"],
    "credentials": true
  }
}

TLS and Reverse Proxy

Options:

Native TLS (ssl.enabled=true)
TLS termination at ingress/load-balancer

For Unix deployments, Sockudo can bind to a Unix domain socket and stay behind Nginx/Traefik.

Rate Limiting

Enable and tune API/WebSocket protections:

RATE_LIMITER_ENABLED=true
RATE_LIMITER_API_MAX_REQUESTS=100
RATE_LIMITER_API_WINDOW_SECONDS=60
RATE_LIMITER_WS_MAX_REQUESTS=20
RATE_LIMITER_WS_WINDOW_SECONDS=60

Scaling

Horizontal adapters, transport backends, presence sync, and multi-node deployment.

Observability

Health probes, metrics, logs, and disconnect cleanup tuning.