How to prevent Cross-Site WebSocket Hijacking

Content Security Policy 2.0

Content Security Policy provides the connect-src directive, which applies to Ajax/fetch, EventSource and WebSocket.

Content-Security-Policy: connect-src 'self' trusted-parter.com:8080;

But this directive defines a list of origins to which it is allowed to connect from website. Request from attacker’s site in the case of Cross-Site WebSocket Hijacking through Content Security Policy is impossible to block. The same as Cross-origin resource sharing (header Access-Control-Allow-Origin) does not restrict web sockets.

Sorry, but this is part of
Web-security course

Web-security course

  • Actual web attacks with examples
  • A wrong ways of preventing attacks
  • Security methods guaranties elimination of attacks
  • Quizzes for the material fixation

  Quiz →