Security measures
Ably’s security approach includes multiple layers of protection across the platform:Transport layer security
All connections to Ably use TLS encryption by default:- Port 443: HTTPS traffic over TLS (primary for all WebSocket and HTTP connections)
- Port 5671: Ably queues over AMQP (TLS only)
- Port 61614: Ably queues over STOMP (TLS only)
- Port 8883: MQTT adapter over TLS
Message encryption
Ably provides encryption options for message payloads. Messages can be encrypted before transmission, ensuring end-to-end security even if transport encryption were to be compromised. For detailed information about encryption options, see the encryption documentation.DDoS protection
Ably employs multiple layers of protection against denial of service attacks:Layer 3/4 protection
AWS Shield Advanced protects against volumetric DDoS attacks at the network and transport layers.
Layer 7 protection
CloudFront WAF protects against application-layer attacks with custom rules and rate limiting.
Automatic detection
Continuous monitoring detects anomalies that indicate an attack is underway.
Scalable infrastructure
Infrastructure scales rapidly to absorb traffic spikes, whether from legitimate usage or attacks.
AWS Shield Advanced
Ably utilizes AWS Shield Advanced to protect against volumetric DDoS attacks. Key features include:- Automatic attack detection: Continuous monitoring of traffic patterns to detect anomalies
- Automatic mitigation: Filters malicious traffic while allowing legitimate traffic to pass through
- Global network absorption: Leverages AWS’s global network infrastructure to absorb and diffuse attack traffic
- Expert assistance: Access to the AWS Shield Response Team (SRT) during attacks
CloudFront WAF
The CloudFront Web Application Firewall (WAF) protects against application-layer attacks:- Custom rules: Identify and block malicious requests based on their characteristics
- Rate limiting: Limit the rate of requests from specific IP addresses
- Geographic blocking: Temporarily block traffic from specific regions if attacks originate there
- Bot management: Distinguish between legitimate bots and malicious bots
Resource protection
Ably implements rate limiting at multiple levels to prevent resource exhaustion:- Per account
- Per application
- Per key
- Per token
- Per IP address
Reporting security vulnerabilities
If you believe you have found a security or privacy vulnerability that could impact Ably or its users, report it immediately by following the Vulnerability Disclosure Policy.How to report
Submit detailed reports
Submit reports through the official disclosure process at ably.com/disclosure.
One vulnerability per report
Each report should explain one vulnerability with clear impact assessment.
Bug bounty program
Ably operates a bug bounty program that rewards security researchers for legitimate vulnerability reports.- Financial rewards: Successful vulnerability reports are rewarded based on severity and impact
- Public recognition: Security researchers are recognized on the acknowledgements page
- Coordinated disclosure: Work with Ably’s security team to ensure vulnerabilities are addressed before public disclosure
Legal protection
Activities conducted in accordance with the vulnerability disclosure policy are considered authorized conduct. Ably will not initiate legal action against researchers operating in good faith within policy guidelines.For questions regarding coordinated disclosure, contact [email protected].
Authentication and authorization
Ably provides multiple authentication mechanisms to secure access to your applications:API keys
API keys provide basic authentication for server-side applications. Keys can be scoped with specific capabilities to limit what operations they can perform.Token authentication
Token authentication is recommended for client-side applications:- Tokens are time-limited and can be revoked
- Tokens can be issued with specific capabilities and channel permissions
- Tokens can include client identity information
Network security
For applications operating behind firewalls or with network security devices, Ably provides clear guidance on required configurations:Required domains
Core Ably endpoints:rest.ably.io- REST API requestsrealtime.ably.io- Realtime WebSocket connectionsa.ably-realtime.comthroughe.ably-realtime.com- Fallback hosts
internet-up.ably-realtime.com- General connectivity checksws-up.ably-realtime.com- WebSocket connectivity checks
Ably cannot provide static IP addresses for the cloud-based service as the infrastructure is elastic and IP addresses are reassigned dynamically. You must use domain-based allowlisting rather than IP-based rules.
Enterprise customers
Enterprise customers with custom configurations may have different endpoint domains. Contact Ably support to confirm the specific domains for your account configuration.Compliance and certifications
Ably maintains compliance with industry standards and regulations. For information about specific certifications and compliance frameworks, contact Ably support.Next steps
Authentication
Learn about authentication methods and best practices
Edge network security
Explore edge network security and DDoS protection in detail
Encryption
Understand message encryption options
Vulnerability disclosure
Read the full vulnerability disclosure policy