Is web server server authentication secure?

I am using https://github.com/lemmingzshadow/php-websocket/

I can resolve some domains, and I resolved localhost and the domain that points to my local server. But I am wondering if someone else who has a server on their computer can connect to my websocket (through my domain) using a script on his localhost server.

Here is the relevant code:

-> server / server.php

 $server->setAllowedOrigin('localhost'); $server->setAllowedOrigin('mydomain.com'); 

-> server / lib / WebSocket / Connection.php

 // check origin: if($this->server->getCheckOrigin() === true) { $origin = (isset($headers['Sec-WebSocket-Origin'])) ? $headers['Sec-WebSocket-Origin'] : false; $origin = (isset($headers['Origin'])) ? $headers['Origin'] : $origin; if($origin === false) { $this->log('No origin provided.'); $this->sendHttpResponse(401); stream_socket_shutdown($this->socket, STREAM_SHUT_RDWR); $this->server->removeClientOnError($this); return false; } if(empty($origin)) { $this->log('Empty origin provided.'); $this->sendHttpResponse(401); stream_socket_shutdown($this->socket, STREAM_SHUT_RDWR); $this->server->removeClientOnError($this); return false; } if($this->server->checkOrigin($origin) === false) { $this->log('Invalid origin provided.'); $this->sendHttpResponse(401); stream_socket_shutdown($this->socket, STREAM_SHUT_RDWR); $this->server->removeClientOnError($this); return false; } } 

-> server /lib/WebSocket/Server.php

 public function checkOrigin($domain) { $domain = str_replace('http://', '', $domain); $domain = str_replace('https://', '', $domain); $domain = str_replace('www.', '', $domain); $domain = str_replace('/', '', $domain); return isset($this->_allowedOrigins[$domain]); } public function setAllowedOrigin($domain) { $domain = str_replace('http://', '', $domain); $domain = str_replace('www.', '', $domain); $domain = (strpos($domain, '/') !== false) ? substr($domain, 0, strpos($domain, '/')) : $domain; if(empty($domain)) { return false; } $this->_allowedOrigins[$domain] = true; return true; } 

Edit:

Perhaps I was not clear enough. I want everyone to be able to connect to websocket, but only if they are in my domain (or my local host), something like Same Origin Policy in AJAX.

My concern is that if I allow localhost, then possibly all other local hosts on other computers will be allowed too.