On Thu, Feb 20, 2025 at 12:10 PM pavithra vijayakumar < pavithraav...@gmail.com> wrote:
> Hi Team, > > I hope this message finds you well. I am currently working on the > Guacamole project and am seeking your guidance regarding the security of > client connections within my Blazor application (using .NET C# and > JavaScript). > > At present, I am able to successfully establish a connection to Guacamole > through the URL format: > *https://{guacServer}/#client/{connectionId}?token={authToken}*. However, > I am concerned about the security implications of exposing the token in the > URL. This increases the risk of unauthorized access if the URL is copied > and shared. > Additionally, I have encountered a *CORS issue* when attempting to pass the > token in the request header instead of the URL. > > Could you kindly advise on how to mitigate these security concerns, > prevent token exposure in the URL, and resolve the CORS issue? > What version of Guacamole are you working with? In general, the token= parameter was removed from Guacamole in the 1.4.0 release via this Jira issue: https://issues.apache.org/jira/browse/GUACAMOLE-956. If you're still using or seeing the token= parameter, then you may be using an older version of Guacamole, and upgrading will take care of a lot of that. -Nick >
