Skip to content

WebSockets

How to secure a WebSocket connection

  • Use the wss:// protocol (WebSockets over TLS).
  • Hard code the URL of the WebSockets endpoint, and certainly don't incorporate user-controllable data into this URL.
  • Protect the WebSocket handshake message against CSRF, to avoid cross-site WebSockets hijacking vulnerabilities.
  • Treat data received via the WebSocket as untrusted in both directions. Handle data safely on both the server and client ends, to prevent input-based vulnerabilities such as SQL injection and cross-site scripting.