websocket origin validation

T4rk1n · T4rk1n · commit aff6deed4e8e · 2026-04-14T13:20:46.000-04:00
diff --git a/dash/backends/_fastapi.py b/dash/backends/_fastapi.py
@@ -15,6 +15,7 @@
 import subprocess
 import threading
 import traceback
+from urllib.parse import urlparse
 
 try:
     from fastapi import FastAPI, Request, Response, Body
@@ -699,7 +700,34 @@ def serve_websocket_callback(self, dash_app: "Dash"):
         # pylint: disable=too-many-statements
         ws_path = dash_app.config.requests_pathname_prefix + "_dash-ws-callback"
 
+        # Get allowed origins from dash app config
+        allowed_origins = getattr(
+            dash_app, "_allowed_websocket_origins", []
+        )  # pylint: disable=protected-access
+
+        def validate_origin(origin: str | None, host: str | None) -> str | None:
+            """Validate WebSocket origin. Returns error message or None if valid."""
+            if not origin:
+                return "Origin header required"
+            if origin in allowed_origins:
+                return None  # Explicitly allowed
+            if not host:
+                return "Origin not allowed"
+            # Check same-origin
+            origin_host = urlparse(origin).netloc
+            if origin_host != host:
+                return "Origin not allowed"
+            return None
+
         async def websocket_handler(websocket: WebSocket):
+            # Validate Origin header to prevent Cross-Site WebSocket Hijacking
+            origin = websocket.headers.get("origin")
+            host = websocket.headers.get("host")
+            error = validate_origin(origin, host)
+            if error:
+                await websocket.close(code=4003, reason=error)
+                return
+
             await websocket.accept()
 
             # Track pending get_props requests
diff --git a/dash/dash.py b/dash/dash.py
@@ -473,6 +473,7 @@ def __init__(  # pylint: disable=too-many-statements, too-many-branches
         use_async: Optional[bool] = None,
         health_endpoint: Optional[str] = None,
         websocket_callbacks: Optional[bool] = False,
+        allowed_websocket_origins: Optional[List[str]] = None,
         **obsolete,
     ):
 
@@ -621,6 +622,7 @@ def __init__(  # pylint: disable=too-many-statements, too-many-branches
 
         self._background_manager = background_callback_manager
         self._websocket_callbacks = websocket_callbacks
+        self._allowed_websocket_origins = allowed_websocket_origins or []
 
         self.logger = logging.getLogger(__name__)
 
