4.3.3 Origin Header
Topic Version | 1 | Published | 10/31/2016 | |
For Standard | ETP v1.1 |
The Origin header, specifically, should NOT be trusted. While it is relatively secure when sent from a browser agent, WebSocket upgrade requests can (and in the case of ETP most often will) come from server or desktop agents. These agents use APIs that allow any value at all to be set on the HTTP headers. Thus, there is no guarantee that the Origin header is actually correct. That said, if the Origin header is NOT something that is expected, then you have good reason to mistrust and terminate the connection.