Skip to main content


Showing posts from December, 2018

Pointers for Websocket Security

Websocket security: 1. In case of form based authentication, the authentication must happen before WebSocket handshake. The sessiontoken must be used when doing the first handshake. 2.  The WebSocket server can use any client authentication mechanism available to a generic HTTP server, such as any cookie field value, basic authentication, digest authentication, or certificate authentication. As long there is a possibility to authenticate the user in a secure manner and the WebSocket server verifies it, the authentication mechanism in question is suitable for use. 3. After authentication comes the authorization part. Authorization is mostly application dependent and mostly controlled at the application logic leve. Same principle of least privilege are applied in this context too. Need to check if a unprivileged user is able to access/ see data/ function of other users.  qa 4. Cross-origin headers must be checked, if they allow all the sites to communicate with