WebSocket Security

WebSockets establish persistent bidirectional connections. They have unique security characteristics that differ from regular HTTP requests.

1. Missing authentication on upgrade:

// Vulnerable: no auth check on WebSocket connection
wss.on("connection", (ws, req) => {
  // req.headers contains cookies and other headers
  // But no verification that the user is authenticated!
  ws.on("message", handleMessage);
});

2. Cross-site WebSocket hijacking:

WebSocket connections send cookies automatically (like HTTP requests). If the server does not validate the Origin header, a malicious page can establish a WebSocket connection to your server using the victim's session cookie:

// Attacker's page — connects to victim's WebSocket server
const ws = new WebSocket("wss://victim-bank.com/ws");
// Browser automatically includes victim's session cookie!
ws.onmessage = (e) => exfiltrate(e.data);

3. No TLS (ws:// instead of wss://): Plain WebSocket connections can be intercepted and manipulated in transit.

Secure WebSockets require authentication at connection time, Origin header validation, and TLS.

Token-based WebSocket authentication:

const wss = new WebSocketServer({ noServer: true });

// Handle upgrade manually to authenticate first
server.on("upgrade", async (req, socket, head) => {
  const url = new URL(req.url, "https://example.com");
  const token = url.searchParams.get("token");

  try {
    const user = await verifyToken(token);
    wss.handleUpgrade(req, socket, head, (ws) => {
      ws.user = user;
      wss.emit("connection", ws, req);
    });
  } catch {
    socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
    socket.destroy();
  }
});

Origin validation:

const ALLOWED_ORIGINS = ["https://myapp.com", "https://www.myapp.com"];

server.on("upgrade", (req, socket, head) => {
  const origin = req.headers.origin;
  if (!ALLOWED_ORIGINS.includes(origin)) {
    socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
    socket.destroy();
    return;
  }
  // proceed with upgrade
});