noVNC provides browser access to VNC/SPICE sessions via WebSockets. Security depends on TLS termination, websocket proxy hardening, and strict backend network segmentation.
- Use
wss:// only for browser connections.
- Terminate TLS at reverse proxy with modern cipher policy.
- Disable insecure ws/http listeners for production.
- Validate origin and host routing at proxy layer.
¶ 2) Isolate websockify and backend VNC services
- Keep VNC/SPICE backends on private network segments.
- Restrict websockify to required upstream targets.
- Avoid exposing hypervisor console ports directly.
- Apply connection rate limits to prevent brute-force/session abuse.
¶ 3) Protect session and access boundaries
- Gate noVNC behind upstream auth/SSO when multi-user.
- Use short-lived console tokens where platform supports them.
- Log console session starts/stops and source IPs.
- Keep noVNC and websockify updated.
- noVNC project docs: https://novnc.com/info.html
- noVNC source repository: https://github.com/novnc/noVNC
Any questions?
Feel free to contact us. Find all contact information on our contact page.