Header Image

WebSockets Security

The Opportunity: Full-Duplex, Bi-Directional Communication for Mobile Apps


The WebSocket Protocol allows an application to seamlessly move from an HTTP/Web-based flow into a socket-based conversation and then back to a Web-based flow. In this way, it allows Web- and mobile-based applications to easily move from the traditional request-reply HTTP world into new forms of low-latency, full-duplex, bi-directional communication.

Traditionally, Web and mobile applications had to work hard to send or receive real-time data. Now, developers can use WebSocket to move data up and down the communication channel quickly and efficiently. This style of communication provides enormous benefits for applications that require messages to be passed quickly between the client and server in both directions.


The Challenge: Securing a New Attack Surface


WebSockets represent a new attack surface. Because (unlike HTTP) WebSocket is a “stateful” protocol, dealing with DoS-type attacks is more than usually complex. Also, because the protocol requires the implementer to define a sub-protocol, WebSocket security must be flexible and customizable enough to work with non-standardized message formats

Organizations that are serious about providing reliable, scalable solutions will require some way to guard against attempted security breaches aimed at this new attack surface. They must be able to enforce SSL handshakes, limit the number of connection requests, protect against payload injection attacks and enforce strong authentication methods.


The Solution: Implement a Server-Side Mobile Access Gateway


Layer 7′ SecureSpan Mobile Access Gateway provides all the functionality needed to implement a server-side WebSockets security solution. The Mobile Access Gateway extends Layer 7’s industry-leading API Gateway technology in order to address mobile-specific concerns – and it includes a very secure WebSocket implementation.


The Layer 7 Value: Industry-Leading Mobile Gateway Technology


The SecureSpan Mobile Access Gateway leverages Layer 7’s military-grade API security technology. All Layer 7 API Gateways meet the industry’s highest security standards, including FIPS, PCI-DSS, DoD STIG and Common Criteria EAL4+. The SecureSpan Mobile Access Gateway adds security functionality specifically designed for WebSocket implementations.

In addition to the security benefits, the Gateway can be used to enrich or filter data in real-time. This opens the door to a new set of compelling use cases that includes data auditing, image watermarking and blacklist filtering – possibilities valuable enough to stand on their own as justifications for implementing a WebSocket Gateway. 


Relevant Resources

451 Research: Layer 7 Targets
Enterprises with Mobile API Gateway

Read the report  >>

Enterprise on the Go: 5 Essentials for BYOD & Mobile Enablement eBook

Read the eBook  >>

Secure Mobile Access for Enterprise Employees white paper

Read the white paper  >>

Layer 7 for Mobile Access
solution brief

Read the solution brief  >>