[{"data":1,"prerenderedAt":164},["ShallowReactive",2],{"blog-vulnerabilities/websocket-security":3},{"id":4,"title":5,"body":6,"category":144,"date":145,"dateModified":145,"description":146,"draft":147,"extension":148,"faq":149,"featured":147,"headerVariant":150,"image":149,"keywords":149,"meta":151,"navigation":152,"ogDescription":153,"ogTitle":149,"path":154,"readTime":155,"schemaOrg":156,"schemaType":157,"seo":158,"sitemap":159,"stem":160,"tags":161,"twitterCard":162,"__hash__":163},"blog/blog/vulnerabilities/websocket-security.md","WebSocket Security Explained",{"type":7,"value":8,"toc":134},"minimark",[9,16,21,50,54,59,74,78,87,103,122],[10,11,12],"tldr",{},[13,14,15],"p",{},"WebSockets do not have the same security controls as HTTP. Cookies are sent on connection but not after, CORS does not apply, and CSRF tokens are not automatically included. Validate the Origin header, authenticate each message, and apply input validation to all WebSocket data.",[17,18,20],"h2",{"id":19},"websocket-security-challenges","WebSocket Security Challenges",[22,23,24,32,38,44],"ul",{},[25,26,27,31],"li",{},[28,29,30],"strong",{},"No CORS:"," Any website can open a WebSocket to your server",[25,33,34,37],{},[28,35,36],{},"Auth at connect time:"," Only the handshake includes cookies",[25,39,40,43],{},[28,41,42],{},"No CSRF protection:"," Browsers do not apply same-site restrictions",[25,45,46,49],{},[28,47,48],{},"Persistent connection:"," Session changes may not be reflected",[17,51,53],{"id":52},"common-vulnerabilities","Common Vulnerabilities",[55,56,58],"h3",{"id":57},"cross-site-websocket-hijacking","Cross-Site WebSocket Hijacking",[60,61,63],"code-block",{"label":62},"Vulnerable: no origin check",[64,65,70],"pre",{"className":66,"code":68,"language":69},[67],"language-text","// Server accepts connection without checking origin\nwss.on('connection', (ws, req) => {\n  // req.headers.origin could be any site!\n  // If user is logged in, attacker site can connect\n  // and access their data via WebSocket\n});\n","text",[71,72,68],"code",{"__ignoreMap":73},"",[55,75,77],{"id":76},"secure-websocket-setup","Secure WebSocket Setup",[60,79,81],{"label":80},"Proper origin and auth validation",[64,82,85],{"className":83,"code":84,"language":69},[67],"const allowedOrigins = ['https://yoursite.com'];\n\nwss.on('connection', (ws, req) => {\n  // Validate origin\n  const origin = req.headers.origin;\n  if (!allowedOrigins.includes(origin)) {\n    ws.close(1008, 'Origin not allowed');\n    return;\n  }\n\n  // Authenticate (example: token in query string)\n  const url = new URL(req.url, 'wss://yoursite.com');\n  const token = url.searchParams.get('token');\n\n  const user = validateToken(token);\n  if (!user) {\n    ws.close(1008, 'Unauthorized');\n    return;\n  }\n\n  // Store user for this connection\n  ws.user = user;\n\n  ws.on('message', (data) => {\n    // Validate and sanitize all incoming messages\n    const message = JSON.parse(data);\n    // Apply authorization for each action\n  });\n});\n",[71,86,84],{"__ignoreMap":73},[88,89,90,97],"faq-section",{},[91,92,94],"faq-item",{"question":93},"Should I use wss:// or ws://?",[13,95,96],{},"Always use wss:// (WebSocket Secure) in production. Like HTTPS, it encrypts the connection and prevents interception.",[91,98,100],{"question":99},"How do I handle session expiry?",[13,101,102],{},"WebSocket connections persist after session expires. Implement periodic re-authentication or push session invalidation through the WebSocket itself.",[104,105,106,112,117],"related-articles",{},[107,108],"related-card",{"description":109,"href":110,"title":111},"Related cross-site attack","/blog/vulnerabilities/csrf","CSRF Explained",[107,113],{"description":114,"href":115,"title":116},"HTTP origin controls","/blog/vulnerabilities/cors-misconfiguration","CORS Misconfiguration",[107,118],{"description":119,"href":120,"title":121},"Can steal WS tokens","/blog/vulnerabilities/xss","XSS Explained",[123,124,127,131],"cta-box",{"href":125,"label":126},"/","Start Free Scan",[17,128,130],{"id":129},"audit-your-websockets","Audit Your WebSockets",[13,132,133],{},"Our scanner checks WebSocket endpoints for common security issues.",{"title":73,"searchDepth":135,"depth":135,"links":136},2,[137,138,143],{"id":19,"depth":135,"text":20},{"id":52,"depth":135,"text":53,"children":139},[140,142],{"id":57,"depth":141,"text":58},3,{"id":76,"depth":141,"text":77},{"id":129,"depth":135,"text":130},"vulnerabilities","2026-01-26","WebSockets bypass traditional HTTP security controls. Learn about WebSocket authentication, origin validation, and common security pitfalls to avoid.",false,"md",null,"red",{"noindex":152},true,"Learn how to secure WebSocket connections in your application.","/blog/vulnerabilities/websocket-security","6 min read","[object Object]","TechArticle",{"title":5,"description":146},{"loc":154},"blog/vulnerabilities/websocket-security",[],"summary_large_image","XTn6ryuNrw8gHrri11Yzr07JIvpNjyhrLUTYMuoE38w",1775843926373]