Why it matters
Insecure WebSockets are easy to abuse: no default rate limit, persistent connections that outlast token TTL, cross-site attacks. Getting security right is critical.
Advertisement
The architecture
Handshake auth: token in query string (visible in logs), Sec-WebSocket-Protocol header, cookie.
Origin check: server verifies Origin header against allowlist.
Advertisement
How it works end to end
Per-message authorization: each message action must be authorized. Just because user connected doesn't mean they can do anything.
Rate limiting: cap messages per second per connection AND per user (multi-connection users).
Token refresh: long connections may outlast token TTL. Server can request re-auth mid-session, or use refresh tokens.