Upgrading to the WebSocket Protocol and Ensuring Security
According to my understanding there is upgrade to the WebSocket protocol during the WebSocket handshake.
We use HTTPS connections (we do not use HTTP).
Should we configure the WebSocket protocol in a firewall between a browser and a server?
Or enough to allow only HTTPS between a browser and a server?
There are some libraries (e.g SockJS) that performs a WebSocket emulation.
Is it enough to allow only HTTPS in a firewall between a browser and a server?
Updated
Last, but not least: in all cases we need to protect our application against WebSocket attacks at the application level (not via firewall):
- DDOS attacks
- CSRF protection
- Authentication
- Authorization
- …
Correct?
Answer
Should we configure the WebSocket protocol in a firewall between a browser and a server?
Can you? It is unclear what specific capabilities your firewall has so it is unknown if you can do any special filtering for the WebSocket protocol at all. If your firewall offers the possibility and there is only WebSocket to expect, then why not restrict it to what you expect.
Or enough to allow only HTTPS between a browser and a server?
Again, nothing is known about your firewall can do in the first place so no recommendations can be done here.
There are some libraries (e.g SockJS) that performs a WebSocket emulation. Is it enough to allow only HTTPS in a firewall between a browser and a server?
SockJS is just HTTP(S). So exactly this should be allowed.
Last, but not least: in all cases we need to protect our application against WebSocket attacks as described in many threads here.
I’m not sure which attacks you refer to since "described in many threads" does not really point out specific attacks. But very likely a generic firewall will not protect against attacks specific to WebSockets.