Where I work there are pretty stringent enterprise security rules on using web sockets.
Basically if you have client A and server B, any instantiated communication from A->B or from B->A needs to be authenticated.
So if client A calls server B server B should be able to validate that the message it’s receiving is valid.
And vice versa should be true.
So for example, if the data window my subscription is looking at on the client changes, when server B sends client A the subscription update, client A should be able to validate that the message is coming from a reliable source (ie not sub intermediary who is spoofing the message).
I was bouncing around the DDP code but did find anywhere the client explicitly validates the message the server sends. I could have easily missed this.
If the answer is “there is no explicit validation happening but that’s is why you should always be running SSL so nobody in the middle can decipher your channel data” I get it but that is not the answer I am looking for and one that does not meet our security rules.
If validation does occur and I just couldn’t find it a link to the relevant code would be very helpful.