Introduction to WebSockets

By @cssaddict


Brief History of Realtime Web Apps

  • Hidden Iframe
  • XMLHttpRequest
    • Shipped in IE 1999
    • In all Major Browsers by 2005
  • Long Polling, HTTP Streaming
    • Used to push data to the client
  • Websockets

What's a WebSocket

The Protocol

Websocket is a IETF-defined protocol that provides full-duplex communications channels over a single TCP connection.


The W3C-degined API enables javascript applications to use WebSockets to build efficient, event-driven, real-time applications

Why We Need This

HTTP doesn't cut it

  • Request/Response cycle is not ideal for real-time apps
    • HTTP is half-duplex communication (like walkie talkies)
  • Data sent in headers for each HTTP request 
    • This adds pointless amounts overhead
  • Latency from creating new TCP connections.

What is it good for

  • Chat apps
  • Social apps (with content feeds)
  • Multi-player games
  • Collaborative apps
  • Financial Applications (
  • 3-way data binding

How does it work

  • Client makes HTTP request with upgrade header
  • Server accepts subprotocol and upgrades connection
  • Boom, Websockets.



  • No headers sent so client and server need to agree on subprotocol.
  • Client can provide an array of subprotocols that the server can choose from
  • Subprotocol Examples
    • XMPP, WAMP, JSON-RPC, REST variants
  • Define how data is formatted (JSON, XML)
  • Define when client/server should receive a response after sending a message
  • Defines a namespace for backwards compatability
var connection = new WebSocket('ws://localhost:1337', 
    ['wamp', 'xmpp', '']);

I Can Haz WebSockets?

Yes, with Polyfill or Fallback

  • web-socket-js - Falls back to Flash Socket
  • sockjs-client - Falls back to XHR-Streaming and Long Polling
  • - Transports include to Flash Socket, XHR-Steaming, Long Polling, Iframe Messaging, JSONP Polling

WebSocket Security

  • Use wss://  
    • encrypted with SSL/TLS and prevent MitM attacks
  • Avoid tunneling other TCP services
    •  XSS attacks can lead to complete remote breaches
  • Validate client input
    • SQL injection is possible over WS as in HTTP
  • Validate server data
    • Use JSON.parse()
    • Never evaluate as code
    • Never apply directly to DOM (like I did in my example.)

WebSocket Security Continued

  • Authenticate connections --
    • initial HTTP Ugrade request sends cookies, so use them.
    • Create expiring tokens for connections
    • Valide Origin header
      • Easily spoofed but do it anyway
  • DOS Attacks --Client can open unlimited connections
    • CloudFlare supports WS
    • Don't do resource intensive stuff with WS
    • Again, Authenticate connections and deny as needed

WebSocket Issues

  • Proxies and Firewalls may kill connection or Upgrade may fail
    • Enterprise proxies not up to date with WebSockets
    • Traffic doesn't loop like HTTP traffic
    • Connection header is stripped
    • Using WSS:// prevents connection from being interpreted by intermediary proxies.
    • Proxies not by default configured to handle WS but can be.

WebSocket Issues

  • Keeping connections alive can be difficult
  • Both Client and Server could go away 
    • Unreliable internet
    • Wireless connection may fade out
  • Error handing is extremely important
    • Let user know
    • Offline mode with local storage and Sync later
  • Don't know if information has been received on other side, (This is what subprotocol are for)




Introduction to WebSockets

By Connor Finn McKelvey