Insecure modes

You can run Centrifugo in insecure client mode.

Insecure client mode:

  • disables client timestamp and token check
  • allows anonymous access for all channels
  • allows client to publish into all channels
  • suppresses connection check

This allows to use Centrifugo and centrifuge javascript client as a quick and simple solution when making real-time demos, presentations, testing ideas etc. But this mode is mostly for personal and demonstration uses - you should never turn this mode on in production until you really want it to be there.

on server side

To start Centrifugo in this mode use --insecure flag:

centrifuge --config=config.json --insecure

You can also set insecure option in configuration file to do the same.

on client side

When using insecure mode you can create client connection in this way:

var centrifuge = new Centrifuge({
    "url": url,
    "insecure": true

I.e. without token, user and timestamp parameters. So you can connect to Centrifugo without any backend code.

Look at demo to see insecure mode in action.

Insecure HTTP API mode

Allows to turn of checking HTTP API request API sign. This can be useful if you don't want to sign every API request - for example if you closed API endpoint with firewall or you want to play with API commands from command line using CURL.

To start Centrifugo in this mode use --insecure_api flag:

centrifugo --config=config.json --insecure_api

Insecure admin mode (new in v1.3.0, changed in v1.6.0)

Allows run Centrifugo in insecure admin mode - in this case you don't need to set admin_password and admin_secret for admin endpoints in config - all admin endpoints access won't require authentication at all.

Note that this is only for development or if you protected web interface with firewall rules in production.

To start Centrifugo in this insecure mode run:

centrifugo --config=config.json --insecure_admin

If this mode enabled and you are using web interface you will be logged in automatically without any password. This can be useful if you want to hide Centrifugo web interface behind you own company authentication proxy and don't want to have extra password for Centrifugo:

centrifugo --config=config.json --insecure_admin --web

Again: every insecure mode described here potentially dangerous and you must understand how to protect your Centrifugo by firewall rules this before turning on insecure modes in production.