Question About Flashphoner WCS Information Exposure

[hyuk]

Hi,

We are currently operating Flashphoner WCS behind an Nginx reverse proxy. During a recent web security assessment, the following items were identified as information exposure:

• exposed wss endpoint/path
• exposed Flashphoner product name and version
• exposed internal event/path information such as OnDataEvent

We would like to ask for clarification on the following points:

• Is there any official way in Flashphoner to reduce or hide exposure of product name, version, or internal event/path information?
• Are there any recommended settings that can be applied together with Nginx for this purpose?
• In a browser-based architecture, is exposure of the wss://... endpoint/path unavoidable by design?
• If some of this information cannot be hidden structurally, is there any official document or technical explanation stating that this does not represent a critical security issue by itself?

If possible, we would appreciate an official response with any relevant documentation or best practice references.

Thank you.

 

[Max]

Good day.

• Is there any official way in Flashphoner to reduce or hide exposure of product name, version, or internal event/path information?
• Are there any recommended settings that can be applied together with Nginx for this purpose?

You should use secure Websocket (wss) connection between clients and nginx. That is enough because HTTPS traffic may be intercepted (in theory), but can not be unciphered by attacker.

In a browser-based architecture, is exposure of the wss://... endpoint/path unavoidable by design?

Yes. All the signaling messages between client and server go through Websocket

If some of this information cannot be hidden structurally, is there any official document or technical explanation stating that this does not represent a critical security issue by itself?

The Websocket signaling protocol is documented here: Raw WebSocket API