Anyone can spam easily by using the exposed io() function

[ClassicOldSong]

Once linked to the socket anyone can use a simple script to start spamming just by running this in your browser's console:
for (i=1; i<1000; i++) { io().emit("new message", i.toString());};

new message can be replaced with any event that the server can responce, such as I can easily make the onlinecount to a great number:

I hope you can find a solution to solve this problem.

[ClassicOldSong]

Found solution: pass io() into a closure and then use window.io = null; to neutralize the global io() function

[3rd-Eden]

That doesn't solve the problem as you only hide io constructor. Everybody can still create thousands of connections using any other library them choose to import or just through the CLI. But this is hardly a Socket.IO issue as you should take care of rate limiting and DDOS protection your self.

[ClassicOldSong]

Yeah but the demo chatroom can just use this method to flood.

[shawn-simon]

welcome to the internet @ClassicOldSong

[darrachequesne]

That issue was closed automatically. Please check if your issue is fixed with the latest release, and reopen if needed (with a fiddle reproducing the issue if possible).