What is WebSocket Security? WS Connection Safety Explained

WS Connection Safety (WebSocket Security)

WebSocket security issues occur when a server accepts WebSocket upgrade requests without verifying the identity of the connecting client. Unlike HTTP requests where authentication is checked per-request, a WebSocket connection is long-lived — once established, it streams data continuously. If the initial handshake skips authentication, every message sent over that connection is exposed. This is classified under CWE-306 (Missing Authentication for Critical Function).

What is WebSocket Security?

WebSockets keep a persistent connection open between the browser and the server. They power chat apps, live dashboards, notifications, and collaborative editing. Once the connection upgrades from HTTP, it stays open — and data flows freely in both directions.

The problem is that most WebSocket implementations authenticate the initial HTTP request but not the upgrade. Or worse, they skip auth entirely and assume that if someone has the WebSocket URL, they belong there. Anyone who opens a connection gets the full stream of real-time data.

This is especially dangerous because WebSocket connections bypass many traditional security controls. CORS doesn't apply to WebSockets. Rate limiting often doesn't either. And because the connection is persistent, an attacker gets continuous access — not just a single response.

How does WebSocket Security work?

The most common pattern is a WebSocket server that listens for connections and immediately starts broadcasting data — no token check, no session validation, no origin verification. Anyone who knows the endpoint can connect.

Here's what this looks like with the popular ws library:

Vulnerable — no authentication on connection

// server.ts
import { WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 8080 });

wss.on('connection', (ws) => {
  // No auth check — anyone can connect
  ws.send(JSON.stringify({ type: 'welcome' }));

  // Broadcasts user data to every connection
  setInterval(() => {
    ws.send(JSON.stringify(getUserUpdates()));
  }, 1000);
});

Fixed — JWT verified on upgrade request

// server.ts
import { WebSocketServer } from 'ws';
import { verifyToken } from './auth';

const wss = new WebSocketServer({ noServer: true });

server.on('upgrade', async (req, socket, head) => {
  const token = new URL(req.url, 'http://localhost')
    .searchParams.get('token');

  try {
    const user = await verifyToken(token);
    wss.handleUpgrade(req, socket, head, (ws) => {
      ws.user = user;
      wss.emit('connection', ws, req);
    });
  } catch {
    socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
    socket.destroy();
  }
});

wss.on('connection', (ws) => {
  // ws.user is verified — safe to send data
  ws.send(JSON.stringify({ type: 'welcome', user: ws.user.id }));
});

Why do AI tools generate WebSocket Security vulnerabilities?

AI code generators treat WebSockets as a feature to get working, not a security boundary to protect. The generated code connects, sends messages, and looks correct — but skips the auth layer entirely.

WebSocket tutorials skip auth. Most "build a chat app" tutorials focus on message passing, not token validation on the upgrade request. The AI learned the same shortcuts.
Auth on upgrade is non-obvious. HTTP middleware doesn't automatically apply to WebSocket upgrades. You need to handle the <code>upgrade</code> event separately — something the AI won't add unless you ask.
The happy path works without auth. The WebSocket connects, messages flow, the demo looks great. There's no error telling you that authentication is missing.

The result is a real-time endpoint that streams live data — user activity, notifications, internal state — to anyone who opens a WebSocket connection. No login required.

Common WebSocket Security patterns

No auth on upgrade request

The WebSocket server accepts connections without checking tokens, cookies, or session IDs.

Broadcasting to all connections

Sending sensitive updates to every connected client instead of filtering by user or role.

Missing origin validation

Accepting connections from any origin — a cross-site WebSocket hijacking risk.

No per-message authorization

Authenticating the connection once but never checking permissions on individual message types or channels.

How Flowpatrol detects WebSocket Security

Flowpatrol tests your WebSocket endpoints the way an attacker would — connecting without credentials and watching what comes back:

1Discovers WebSocket endpoints by inspecting upgrade headers and scanning common paths like <code>/ws</code>, <code>/socket</code>, and <code>/live</code>.
2Connects without authentication to check if the server accepts unauthenticated upgrade requests.
3Listens for sensitive data in messages broadcast over the open connection — user info, internal IDs, real-time state.
4Reports the finding with the exact endpoint, the upgrade response, and sample messages received without auth.

WebSocket endpoints are invisible to most scanners because they don't speak the protocol. Flowpatrol opens real connections and checks what comes through.

Check your WebSocket endpoints.

Flowpatrol connects to your real-time endpoints without credentials and reports what it finds. Five minutes.

Try it free

WS Connection Safety (WebSocket Security)

What is WebSocket Security?

How does WebSocket Security work?

Here's what this looks like with the popular ws library:

Vulnerable — no authentication on connection

// server.ts
import { WebSocketServer } from 'ws';

const wss = new WebSocketServer({ port: 8080 });

wss.on('connection', (ws) => {
  // No auth check — anyone can connect
  ws.send(JSON.stringify({ type: 'welcome' }));

  // Broadcasts user data to every connection
  setInterval(() => {
    ws.send(JSON.stringify(getUserUpdates()));
  }, 1000);
});

Fixed — JWT verified on upgrade request

// server.ts
import { WebSocketServer } from 'ws';
import { verifyToken } from './auth';

const wss = new WebSocketServer({ noServer: true });

server.on('upgrade', async (req, socket, head) => {
  const token = new URL(req.url, 'http://localhost')
    .searchParams.get('token');

  try {
    const user = await verifyToken(token);
    wss.handleUpgrade(req, socket, head, (ws) => {
      ws.user = user;
      wss.emit('connection', ws, req);
    });
  } catch {
    socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
    socket.destroy();
  }
});

wss.on('connection', (ws) => {
  // ws.user is verified — safe to send data
  ws.send(JSON.stringify({ type: 'welcome', user: ws.user.id }));
});

Why do AI tools generate WebSocket Security vulnerabilities?

WebSocket tutorials skip auth. Most "build a chat app" tutorials focus on message passing, not token validation on the upgrade request. The AI learned the same shortcuts.
Auth on upgrade is non-obvious. HTTP middleware doesn't automatically apply to WebSocket upgrades. You need to handle the <code>upgrade</code> event separately — something the AI won't add unless you ask.
The happy path works without auth. The WebSocket connects, messages flow, the demo looks great. There's no error telling you that authentication is missing.

The result is a real-time endpoint that streams live data — user activity, notifications, internal state — to anyone who opens a WebSocket connection. No login required.

Common WebSocket Security patterns

No auth on upgrade request

The WebSocket server accepts connections without checking tokens, cookies, or session IDs.

Broadcasting to all connections

Sending sensitive updates to every connected client instead of filtering by user or role.

Missing origin validation

Accepting connections from any origin — a cross-site WebSocket hijacking risk.

No per-message authorization

Authenticating the connection once but never checking permissions on individual message types or channels.

How Flowpatrol detects WebSocket Security

Flowpatrol tests your WebSocket endpoints the way an attacker would — connecting without credentials and watching what comes back:

1Discovers WebSocket endpoints by inspecting upgrade headers and scanning common paths like <code>/ws</code>, <code>/socket</code>, and <code>/live</code>.
2Connects without authentication to check if the server accepts unauthenticated upgrade requests.
3Listens for sensitive data in messages broadcast over the open connection — user info, internal IDs, real-time state.
4Reports the finding with the exact endpoint, the upgrade response, and sample messages received without auth.

WebSocket endpoints are invisible to most scanners because they don't speak the protocol. Flowpatrol opens real connections and checks what comes through.

WS Connection Safety (WebSocket Security)