WebSocket & Real-time

A WebSocket server that does not check the Origin header accepts connections from any website, allowing cross-site WebSocket hijacking where a malicious page connects to your WS endpoint using the victim's authenticated session.

A WebSocket server without message rate limiting allows a single client to send thousands of messages per second, exhausting server resources, degrading performance for all users, and potentially causing a denial-of-service.