Explain Codes LogoExplain Codes Logo

Http headers in Websockets client API

web-development
websocket-security
http-headers
authentication
Alex KataevbyAlex Kataev·Feb 23, 2025
TLDR
const ws = new WebSocket('wss://example.com/socket', 'protocol', { headers: { 'Custom-Header': 'value' } });

The above line sets HTTP headers in a WebSocket constructor using a library, not the native WebSocket API, which doesn't support custom headers. For more standard scenarios like authentication tokens, consider using Socket.IO or WebSocket-Node.

Securing WebSocket: Get Past the loophole

WebSocket's lack of support for HTTP headers can pose challenges, especially when it comes to security. However, multiple workarounds exist to follow WebSocket's kung-fu and make your connections safe and secure...or at least less insecure:

  • Ticketing system: It's like getting a hall pass in school, a temporary token that validates the client to establish the connection.

  • Server-side logic: Basically saying "if you're named X, you can enter my house." The tokens passing as part of URL or Subprotocols should be matched with their users.

  • Subprotocols and Query Strings: Exploiting these fields for sending authentication data for the server's validation. 'Sec-WebSocket-Protocol' never felt so useful.

Authentication: Making Your Way in Without Keys

Since WebSocket has been stubborn to let custom HTTP headers pass through, we must find other ways to carry our credentials safely:

  • Bearer tokens: Send them as part of the URL, like carrying your pass on your forehead. Make sure you have limited lifespan and scope to them.

  • Subprotocols: Use Sec-WebSocket-Protocol header to send bearer tokens or signed JWTs; it's like infiltrating your identity in a group of conspirators.

  • Cookies: Browser can automatically include these sweet (or salty, who am I to judge?) pieces during the handshake.

JWT tokens: The Golden Ticket

When using JWT tokens, you should be aware of the security protocols to make it work effectively:

  • Rotation: Switching the tokens at regular intervals can help reduce compromising risks. It's like changing your door locks regularly.

  • Secondary Tokens: Issue a less privileged, separate JWT for WebSocket connections, like giving your guests the remote control but not the Wi-Fi password.

  • Endpoint Security: Create a REST end-point to generate the tokens for WebSocket.

Play Safe: WebSocket Security Tips

The Internet, especially with WebSocket, can be wild. Thus, constant vigil on security practices is always a good step. Heroku Dev Center's guide, for instance, provides regular updates on security practices. Keep yourself updated with WebSocket API too, as you never know when they change their heart and allow HTTP headers directly.

While it's all great knowledge, actual experience is a different ball game. So, experiment with these strategies, documents, and share your results with everyone to make the world of WebSocket a safer place.

explain-codes / Web development / Http headers in Websockets client API
Linked

Websockets vs. Server-Sent events/EventSource

Connecting to TCP Socket from browser using javascript

What browsers support HTML5 WebSocket API?

Websocket onerror - how to read error description?

Sending message to a specific connected users using webSocket?

Restful Authentication via Spring

In what situations would AJAX long/short polling be preferred over HTML5 WebSockets?

Securing WebSocket: Get Past the loopholeAuthentication: Making Your Way in Without KeysPlay Safe: WebSocket Security Tips
Linked

Websockets vs. Server-Sent events/EventSource

Connecting to TCP Socket from browser using javascript

What browsers support HTML5 WebSocket API?

Websocket onerror - how to read error description?

Sending message to a specific connected users using webSocket?

Restful Authentication via Spring

In what situations would AJAX long/short polling be preferred over HTML5 WebSockets?