10. Security Considerations

The WebSocket Protocol design considers multiple security threats. This chapter describes the main security considerations and recommended mitigation measures.

10.1 Non-Browser Clients

The WebSocket Protocol can be used by any client, not limited to web browsers. Non-browser clients do not have browser same-origin policy protection.

Risks:

Can forge Origin headers
Can bypass CORS restrictions
Can initiate numerous connections

Mitigation:

Servers must implement additional authentication
Use token validation (e.g., JWT)
Implement rate limiting
Validate all input data

// Server-side verification example
function verifyClient(info, callback) {
  const allowedOrigins = ['https://example.com'];
  if (!allowedOrigins.includes(info.origin)) {
    callback(false, 403, 'Forbidden');
    return;
  }
  
  const token = info.req.url.split('?token=')[1];
  if (!isValidToken(token)) {
    callback(false, 401, 'Unauthorized');
    return;
  }
  
  callback(true);
}

10.2 Origin Considerations

The Origin header is a critical security mechanism.

Recommended Practices:

Validate Origin: Servers should validate the Origin header
Whitelist Approach: Use whitelists instead of blacklists
Dynamic Origins: Use database configuration if dynamic origins are needed

Note: Non-browser clients can forge Origin, so do not rely solely on Origin validation.

10.3 Attacks On Infrastructure

Cache Poisoning Attacks

WebSocket uses masking mechanism to prevent cache poisoning:

All client-to-server frames MUST be masked
Server-to-client frames MUST NOT be masked
Use random masking keys

Man-in-the-Middle Attacks

Mitigation:

Use wss:// (TLS encryption)
Verify server certificates
Implement certificate pinning

// Browser: Always use wss://
const ws = new WebSocket('wss://example.com/socket');

// Server: Enforce TLS
if (!request.connection.encrypted) {
  response.status(403).send('TLS required');
}

10.4 Implementation-Specific Limits

Implementations should set reasonable limits to prevent resource exhaustion attacks.

Recommended Limits

1. Message Size Limit

const MAX_MESSAGE_SIZE = 1024 * 1024; // 1MB

ws.on('message', (data) => {
  if (data.length > MAX_MESSAGE_SIZE) {
    ws.close(1009, 'Message too big');
  }
});

2. Connection Count Limit

const MAX_CONNECTIONS = 10000;
const connections = new Set();

function acceptConnection(ws) {
  if (connections.size >= MAX_CONNECTIONS) {
    ws.close(1008, 'Server overloaded');
    return false;
  }
  connections.add(ws);
  return true;
}

3. Message Rate Limit

const RATE_LIMIT = 100; // 100 messages per second

function checkRateLimit(clientId) {
  const count = messageCount.get(clientId) || 0;
  if (count > RATE_LIMIT) {
    return false;
  }
  messageCount.set(clientId, count + 1);
  return true;
}

10.5 WebSocket Client Authentication

Authentication Methods

1. Cookie Authentication During Handshake 2. Token in URL Parameters 3. First Message Authentication 4. Custom Handshake Headers

10.6 Connection Confidentiality and Integrity

TLS/SSL Requirements

Production environments must use wss://:

✅ TLS Advantages:

Encrypts all transmitted data
Prevents eavesdropping
Prevents data tampering
Server authentication

❌ ws:// Risks:

Plaintext transmission
Easy to intercept
Cannot verify server identity

10.7 Handling of Invalid Data

Implementations must properly handle invalid data to prevent security vulnerabilities.

Invalid UTF-8 Text

Protocol Violations

When protocol violations are detected, the connection MUST be closed.

10.8 Use of SHA-1 by the WebSocket Handshake

The handshake uses SHA-1 hash algorithm. Although SHA-1 has known collision attacks, it is safe in the handshake context.

Security Checklist

When implementing WebSocket services, check:

Reference Links

Previous Chapter: 9. Extensions
Next Chapter: 11. IANA Considerations

10.1 Non-Browser Clients
10.2 Origin Considerations
10.3 Attacks On Infrastructure
- Cache Poisoning Attacks
- Man-in-the-Middle Attacks
10.4 Implementation-Specific Limits
- Recommended Limits
10.5 WebSocket Client Authentication
- Authentication Methods
10.6 Connection Confidentiality and Integrity
- TLS/SSL Requirements
10.7 Handling of Invalid Data
- Invalid UTF-8 Text
- Protocol Violations
10.8 Use of SHA-1 by the WebSocket Handshake
Security Checklist
Reference Links

10.1 Non-Browser Clients​

10.2 Origin Considerations​

10.3 Attacks On Infrastructure​

Cache Poisoning Attacks​

Man-in-the-Middle Attacks​

10.4 Implementation-Specific Limits​

Recommended Limits​

10.5 WebSocket Client Authentication​

Authentication Methods​

10.6 Connection Confidentiality and Integrity​

TLS/SSL Requirements​

10.7 Handling of Invalid Data​

Invalid UTF-8 Text​

Protocol Violations​

10.8 Use of SHA-1 by the WebSocket Handshake​

Security Checklist​

Reference Links​