class WebsocketTagger
- WebsocketTagger
- Tagger
- Reference
- Object
Overview
Flags WebSocket endpoints — long-lived, bidirectional channels whose threat model (origin checks on the handshake, per-message authz, no CSRF token on the upgrade) differs from a request/response route.
Defined in:
tagger/taggers/websocket.crConstant Summary
-
STRONG_HEADERS =
Set {"sec_websocket_key", "sec_websocket_accept"} -
Handshake headers that appear essentially only in a WebSocket upgrade, so a single one is conclusive.
Sec-WebSocket-Key(client) andSec-WebSocket-Accept(server) are reserved for the handshake. -
URL_MARKERS =
["socket.io", "sockjs"] -
Transport-library markers that survive in the URL even when the analyzer leaves the protocol as plain HTTP — Socket.IO and SockJS run an HTTP handshake before upgrading, so their routes are emitted as ordinary HTTP endpoints.
-
WEAK_HEADERS =
Set {"sec_websocket_version", "sec_websocket_protocol", "sec_websocket_extensions"} -
Also part of the handshake but individually a touch less conclusive; two together flag the endpoint.
-
WS_PROTOCOLS =
Set {"ws", "wss", "websocket"} -
AsyncAPI specs carry the raw server protocol (
ws,wss,websocket); HTTP analyzers setws. Accept every spelling sowss/websocketendpoints aren't missed.