WebSocket listener security(WebSocket 监听器安全)¶
WebSocket listeners differ from standard Foundry data ingestion, so ensure that you understand these security paradigms before enabling your connections.
Request authorization¶
Each WebSocket listener type has specific authentication requirements defined by the external system. Listeners implement the security protocols laid out by those external systems, which vary widely. Palantir makes no guarantees about the suitability or effectiveness of these external system protocols.
You are responsible for ensuring that you understand which guarantees each protocol does or does not provide for the incoming connections and data.
The specific protocols implemented for each listener can be found in the Configure security section of your listener's Configure connection page, as well as the external system's documentation.
Exportable marking validation¶
When WebSocket listeners process data, marking validation acts as a security control to prevent unauthorized data exfiltration. The system ensures that any data consumed by your output meets the listener's configured exportable marking requirements.
By default, only data without security markings can be read and incorporated into your compute module inputs. If your compute module needs to process data that carries security markings, you must explicitly configure which markings are permitted for export in the listener's settings. Only a user with the ability to declassify those markings can add them to the configuration.

Subdomains¶
WebSocket listeners can be mounted to dedicated subdomains, allowing for granular ingress control, comprehensive governance workflows, and isolation of less secure endpoints from the environment's primary enrollment domains. Learn more about listener subdomains.
Endpoint rotation¶
If the listener's endpoint is compromised, you can rotate it to a new endpoint. Learn more about endpoint rotation.
中文翻译¶
WebSocket 监听器安全¶
WebSocket 监听器与标准的 Foundry 数据摄取方式有所不同,因此在启用连接之前,请确保您理解这些安全范式。
请求授权¶
每种 WebSocket 监听器类型都有由外部系统定义的特定身份验证要求。监听器实现了这些外部系统所规定的安全协议,而这些协议差异很大。Palantir 不对这些外部系统协议的适用性或有效性做出任何保证。
您有责任确保理解每种协议为传入连接和数据提供或不提供哪些保障。
每种监听器所实现的具体协议可以在监听器的配置连接页面的配置安全部分以及外部系统的文档中找到。
可导出标记验证¶
当 WebSocket 监听器处理数据时,标记验证作为一项安全控制措施,用于防止未经授权的数据泄露。系统确保您的输出所消费的任何数据都满足监听器配置的可导出标记要求。
默认情况下,只有不带安全标记的数据才能被读取并纳入您的计算模块输入。如果您的计算模块需要处理带有安全标记的数据,您必须在监听器设置中明确配置允许导出的标记。只有具备解除这些标记权限的用户才能将其添加到配置中。

子域名¶
WebSocket 监听器可以挂载到专用子域名上,从而实现精细的入站流量控制、全面的治理工作流,以及将安全性较低的端点与环境的主要注册域名隔离开来。了解有关监听器子域名的更多信息。
端点轮换¶
如果监听器的端点遭到入侵,您可以将其轮换到新的端点。了解有关端点轮换的更多信息。