JWT could be used to keep calling wss address during malicious attacks to flood the chat queue, any plan to mitigate this? We could add a layer of security by restricting access on the front end ourselves, but just wondering if there is something in the plan on your end.
Hey there! Long time no chat. This is something we have investigated before, the team will reply tomorrow.
Great, thank you Lucie.
Hello 
For your specific concern, we would recommend adoption of our newer Web Messaging Guest APIs: with newer APIs we have adopted new design to how WSS is established, to limit potential man-in-middle attacks.
Hi Angelo,
Thanks for the new API. This one limits man-in-middle attacks but there is nothing to stop someone from creating a job to keep calling and creating new conversations, from the same IP address for example and then jams up the queue.
Do you have something to limit number of sessions that can be initiated from the same IP address within a short period, when using chat widget?
Thank you so much.
Hi Lex.
For now we have API Limits that can mitigate the potential risk you raised. Additionally, if your concern is that of flooding the agent queue you could also have an initial qualification Bot that can triage incoming messages, to determine if real user. Another measure is to enable Authenticated Web Messaging, to prevent anonymous access.
We will explore also additional refinements based on source-IP-address, although, in case of NATing, this may have wider implications, as many ISP tend to aggregate multiple end-users behind the same public IP address, there is a risk of blocking all the clients behind a given ISP.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.