WebSocket Security

published on

We've recently had some customer's IT departments ask questions about "WebSocket Security". In reality, I think they get scared by the word 'Socket', as it brings to mind UNIX sockets... Which really could be dangerous if exposed over the web. I wrote out this note which is shown to customers if we detect that WebSockets are disabled on their network (our app still functions in compat mode).

If anyone thinks I've missed something out, shout at me on Twitter (@jreeve0).

WebSockets are full-duplex (bi-directional) TCP connections. The protocol was standardised by the IETF (RFC 6455) in 2011, and was fully implemented by Google Chrome in 2011, Firefox & IE(10) in 2012, Safari in 2013, and Edge at release. The technology allows for reduced latency when communicating between a browser and a server because the TCP connection boilerplate is only sent once. We use WebSockets because it improves our ability to scale, and the performance for our users.

Firebase (, recently bought by Google is built entirely upon WebSockets (with tight integration to Google Cloud Platform).

StackExchange ( uses WebSockets to update windows when comments are added.

Pusher ( use WebSockets in all of their products

Trello ( use WebSockets in their product

Many large companies use WebSockets as a way to reduce network load and improve application performance. Over the last 5 years, the standard has been tested for security and stability. More and more companies are starting to use them in their applications and there is no sign of a decrease in usage.

For more info see