HTML and CSS Reference
The chapters in this topic so far have shown you how WebSocket enables full-duplex,
bidirectional communication over the Web. We've looked at how layering WebSocket
with commonly used standard protocols like XMPP and STOMP enables you to take your
TCP-based architectures to the Web and allow your applications to be accessed from
almost anywhere. You also learned how you can enable remote control of systems over
the Internet using VNC.
With these abilities comes the challenge and complexity of security. Web security is
a topic that is as important as it is misunderstood. Although aspects of a software system
can be designed with security in mind, the properties of a system that are relevant to
security can be very complex due to the interactions of many different components.
Enhancing security on the system means applying techniques to the software system to
protect against threats.
The topic of Web security spans network and browser security, including
application-level security and even the security of operating systems. When you enable
your users to access systems over the Internet, you expose your assets (your database,
server, application, and so on) to all types of intended and unintended risks. Web security
techniques mitigate and address threats over the Internet.
The WebSocket standard handles core security by providing for unencrypted and
encrypted transport, and by defining WebSocket as a frame within which all existing
security protocols can operate. We cannot prove that WebSocket itself possesses
something called “security” or offer any final, bulletproof recipes. We can, however,
examine specific types of threats related to WebSocket and recommend best practices to
help write and deploy more secure applications.
This chapter describes WebSocket security in detail, explains security decisions
made in the protocol and API designs, and recommends practices for deploying
WebSocket services and applications. There are numerous Web security resources
available that you should read, particularly those relating to any protocols you want to
layer with WebSocket. In this chapter, we focus on aspects of security that pertain directly
WebSocket Security Overview
Deploying applications over the Web presents security challenges you must consider
when deciding to use WebSocket. Such challenges include attacks on servers that may
exploit flaws in WebSocket servers in order to gain control over them. There are also