Socket.io handshake.secure Flag Always False

Anna · February 15, 2021, 4:19pm

I have an application that works with socket.io. But when I connect to the server:

let socket = io.connect('https://my-url.glitch.me', {secure: true});

Server:

io.on('connection', socket => {
    console.log(socket.handshake.secure);
});

The console displays that “socket.handshake.secure” is “false” ! But why? After all, the application uses a secure https connection, so “socket.handshake.secure” must be “true”. Who knows what’s going on? I will be grateful for your help.

RiversideRocks · February 15, 2021, 4:44pm

I’m not great with websockets, but shouldn’t you be connecting to the websocket secure protocol (wss://) instead of https?

Anna · February 15, 2021, 4:56pm

Yes, I tried it, it didn’t help (

FlantasticDan · February 15, 2021, 6:13pm

Glitch staff would know for sure but I’m pretty sure the secure handshake is terminated at the reverse proxy and then served to your project container over regular HTTP. Essentially your connection is secure over the open web, and once it reaches Glitch’s servers the request is decrypted and it’s sent unencrypted within Glitch’s network.

I’d take a look at Dev Tools on the client, I imagine you’ll see all of socket.io’s requests going to secure endpoints.

With respect to https or wss and socket.io it doesn’t matter which you put, both will be used anyway. Socket.io automatically connects initially with a long polling http connection and if network conditions allow, upgrades to a websocket. You can also see that behavior in DevTools on the client.

Anna · February 15, 2021, 7:02pm

@FlantasticDan, Thank you very much for your response! Is there any way to fix this behavior? How do I make it encrypted on the glitch network? Should I use the “https” module instead of “http” with my own certificates?

FlantasticDan · February 15, 2021, 7:25pm

There’s nothing you can do, Glitch’s network is a black box, requests come in and get routed to your project. You have no control over them before they get to your project.

Although I’m not sure why you’d need to, they’re secure over the internet, and nobody but Glitch can touch them before they get to your project, so there isn’t really a practical need to modify them.

If you wanted to confirm that Glitch didn’t modify them you could come up with some sort of message level encryption or checksums that happened on the client and then we’re confirmed by the server but I think that’d probably be overkill.