Protocol: Insecure WebSocket Connection¶

Identifier: frontend_insecure_websocket

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

If your frontend application establishes WebSocket connections over plain WS (instead of WSS), an attacker can intercept the data before the connection is secured. This means sensitive information transmitted over WebSocket could be taken or altered in real time, potentially leading to misuse of data, session hijacking, or other security breaches. Many developers mistakenly assume that WebSocket connections are secure by default, but unencrypted WebSocket connections are vulnerable to man-in-the-middle attacks just like unencrypted HTTP connections.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  frontend_insecure_websocket:
    assets_allowed:
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.