Security

TLS Required: WebTransport requires TLS 1.3. All connections are encrypted end-to-end. Self-signed certificates work for development; use Let's Encrypt for production.

UDP/443: QUIC runs over UDP port 443. Firewalls that block UDP will trigger automatic WebSocket fallback, which runs over TCP with TLS.

Token-Based Auth: Clients authenticate with a token passed in the connection query string. Tokens can be simple shared secrets (dev mode) or JWT with HS256 signing.

JWT Support: Enable JWT authentication by setting AUTH_JWT_ENABLED=true and providing a secret. The server validates tokens and extracts user IDs from the sub or user_id claim.

Anonymous Access: If AUTH_ALLOW_PUBLIC=true, unauthenticated clients can subscribe to public channels but cannot publish. Disable this in production if all channels are private.

Channel Permissions: The auth provider checks both subscribe and publish permissions. By default, authenticated users can access all channels. Public channels (prefixed with public:) are open to all when AUTH_ALLOW_PUBLIC is enabled.

Custom Logic: Extend the AuthProvider interface to implement RBAC, ACLs, or integration with your existing auth system.

Per-Connection Limits: Each connection has a token bucket rate limiter. Default is 10 publishes per second with a burst of 20. Clients exceeding limits receive a RATE_LIMITED error.

Backpressure: For reliable streams, if a subscriber's queue fills up, they're disconnected with a BACKPRESSURE error. This prevents slow consumers from affecting others.

WebSocket CORS: The WebSocket upgrader checks the Origin header. In the default implementation, all origins are allowed for development. Configure the CheckOrigin function to restrict origins in production.

If you discover a security vulnerability, please email security@h3channels.dev. Do not open a public issue. We'll respond within 48 hours.