Mediasoup Security hijack handshake

Hello. Before starting to question I want to say I love mediasoup :heart:. Docs and examples are pretty good. jointing pieces was tough in starting but now I got what mediasoup exactly is and I love it. the flexibility it provides is amazing. i was looking for something which can provide Me with everything. but mediasoup so bare metal that I can build my own without concern about any other framework.

So now question. I am building Scalable Application with mediasoup so far I have found everything in docs about router and how we can even create a mediasoup cluster to scale with different host as well.
But one thing is about signalling mediasoup handshake. I have seen examples and docs all suggest to go with websocket. but anyone can look into the inspect element or put javascript to hijack sessions. let’s say if I collect every handshake of mediasoup. Is it possible to hijack session and user won’t even notice ?. Like getting parameters of producer connect alongside user and hijack their session. because handshake is open plain text.

I know only few methods for signalling Rest API, websocket and graphql subscriptions. But all things can be seen from inspect element or any javascript can hijack session. so how can I secure Mediasoup handshake as extra layer of security from application side any suggestions ?

Just use HTTPS/WSS and it’ll not be plain test.

It’s really up to how you signal if that’s possible if you are using secure protocols and monitoring BGP for hijacking attempts/etc.

HTTPS/WSS prevents for mitm. i was looking for a solution where we can hide mediasoup handshake inside some encrypted message to make it more secure. so that even user can’t see what is happening behind the scene. like we see in google meet and zoom calls. i have tried to check from inspect element couldn’t understand exactly how they are doing any handshake. and that becomes first layer of security it self.
here any one can look into inspect element replicate the signalling because any signalling protocol we use the message type we want to send will be same as per mediasoup expectations.
I was looking for more like something end to end encryption type of solution.

Any suggestions please :smile:. I really love mediasoup just that little bit afraid of security concerns.

No, not necessarily.

I won’t detail the attack but secure protocols can be hit drastically with exploitation of this protocol. This is how millions get stolen from companies and more, it’s major sites go offline for hours or go months undetected with massive leaks.


As long as you program your signaling server correctly, it would never matter what details a user knows about another stream. The signal server would be what grants or kicks the user for violations. So can’t see no issues there.

Secure your HTTP/WS protocols, program a solid signaling server with good handling and if you get adventurous see how BGP exploits work, you’ll see it’s not a problem with soup just came part of the internet…

Got it thanks for clearing it out for me . I have started to code wrapper around mediasoup with socket.io.