Why it matters

Insecure WebSockets are easy to abuse: no default rate limit, persistent connections that outlast token TTL, cross-site attacks. Getting security right is critical.

Advertisement

The architecture

Handshake auth: token in query string (visible in logs), Sec-WebSocket-Protocol header, cookie.

Origin check: server verifies Origin header against allowlist.

WebSocket securityHandshake authtoken verifyPer-message authzcheck permissionsRate limitper connection + userToken in URL visible in logs; prefer subprotocol header or cookie for auth
Security layers.
Advertisement

How it works end to end

Per-message authorization: each message action must be authorized. Just because user connected doesn't mean they can do anything.

Rate limiting: cap messages per second per connection AND per user (multi-connection users).

Token refresh: long connections may outlast token TTL. Server can request re-auth mid-session, or use refresh tokens.