Check_origin for production environment


I deployed to production a brand new Phoenix (1.7.0-rc.2) project with the generated LiveView authentication from mix phx.gen.auth. The websocket connections could never be established until I added check_origin: ["//localhost", "//"] to my App.Endpoint configuration in config/prod.exs. Before, I kept getting HTTP 403 errors for those websocket connections. Everything worked fine for development as the origin isn’t, as expected, checked.

Is setting check_origin a must for websocket connections to even work? I don’t really understand the documentation on check_origin for Phoenix.Endpoint.socket/3. I would assume my setup is nothing out of ordinary, beside maybe having a subdomain is not so common.

Hopefully someone knows what’s the deal here. Thank you!

1 Like

It’s a must for websocket connections to work safely. Consider it the same as using CSRF token for form submits.

1 Like

personally and may be it is best practice, I would recommend to pull the value for check_orgin from an environment variable

1 Like

I just ran into this very issue a few moments ago, searched for reading and found this topic.

I understand why the config is important. One thing worth noting though it’s not directly related to the original question is that check_origin can be set in runtime.exs. In one of my use case scenarios, I won’t know on what host the application may be running, so having a non-compile time way to use this configuration point is important.

I see that check_origin can be set false and no checking is then done… I just tested and works great! But you end up with the security vulnerability described. I don’t understand (and haven’t yet researched) the statement in the documentation:

If true, the header is checked against :host in YourAppWeb.Endpoint.config(:url)[:host].

But at least it looks like there are avenues to getting a sane value in place after compile time.