How can I 100% verify the domain from which I received a request or connection via WebSocket?
Ideally, this should take no more than a second.
It should not be susceptible to spoofing like the Host or Origin fields in the headers.
I've considered using JWT, but then the same question arises: how do I verify the domain?
By domain verification, I mean this, we have a server and a bunch of clients, we have a database with domain:id values in the connection via the websocket, we pass the id in the headers, then we find this id on the server and check whether a request has come from this domain that is linked to a specific id, as I already mentioned the headers It can be faked, thanks for the answers
Node.js
I have tried many methods such as headers, JWT and the like, but I have come to the conclusion that all this can be faked if desired by simply copying a couple of values and sending a request via postman
Well, it depends. If the websocket connection is between two servers, I would definitely consider using mTLS (https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/). Otherwise, if the connection is between a server and a client, I think that anti-csrf tokens should work. (https://www.invicti.com/blog/web-security/protecting-website-using-anti-csrf-token/)