HTML and CSS Reference
Chapter 5. Security
Security is a crucial issue for web applications that exchange data. Every site or app
that lives and breathes in the web is subject to attack by human or robot invaders. It's
a sad but true reality, and we all have to live with it.
Of course, this does not mean that your web apps are totally unsafe. Fortunately, the
native HTML5 security mechanisms protect you from the most common security at-
tacks without any configuration. Moreover, the WebSocket protocol is designed to be
a secure service, so a basic protection is guaranteed.
In this chapter, we are going to present some known security risks a WebSocket app
may have, and also provide you with the tools and knowledge to prevent, confront,
and overcome them, in favor of your users.
You normally don't shake hands with an unknown person or with someone who does
not want to reveal his/her identity. In the WebSocket world, you need to be sure about
the origin of the request. The origin is a header sent from the client and is essential
for cross-domain communication, asit allowsthe webserverto reject specific connec-
tions. Origin is the first and the most important security aspect introduced and docu-
mented in WebSockets.
There are a couple more headers required to allow a client upgrade to the WebSocket
protocol.Suchheadersbeginwitha Sec- prefixandguaranteesthateveryWebSock-
et request will be initialized via the WebSocket constructor, rather than any HTTP
APIs, which might want to access the exchanged information.
The following is an example of WebSocket header sent from a client:
GET /chat HTTP/1.1