websocket-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# WebSocket Security Audit
Audit WebSocket implementations. WebSocket auth and authz are different from REST — auth happens once at the upgrade, but messages flow continuously.
## When this skill applies
- Reviewing WebSocket server setup (ws, socket.io, etc.)
- Auditing the connection upgrade handler for auth
- Reviewing per-message authorization
- Checking broadcast / room scoping
- Reviewing message size and rate limits
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
grep -E '"(ws|socket\.io|@socket\.io|uWebSockets\.js|@nestjs/websockets)":' package.json
# Phoenix Channels
grep -E 'phoenix' mix.exs 2>/dev/null
# SignalR
grep -nE 'Microsoft\.AspNetCore\.SignalR' *.csproj 2>/dev/null
```
### Phase 2: Inventory
```bash
# Server setup
grep -rn 'new WebSocketServer\|new Server\|io =\|WebSocketServer(' src/
# Connection / message handlers
grep -rn '\.on(.connection.\|\.on(.message.\|handleConnection\|@SubscribeMessage' src/
# Auth in upgrade
grep -rn 'handleUpgrade\|verifyClient\|allowRequest' src/
# Broadcast / rooms
grep -rn 'broadcast\|\.to(\|\.in(\|emit(' src/
```
### Phase 3: Detection — the checks
#### Auth on connection upgrade
WebSocket upgrade is HTTP. Auth happens here, not after.
- **WSC-AUTH-1** Connection handler verifies auth BEFORE accepting the upgrade.
```ts
// ws library
wss.on('connection', (ws, req) => {
// BAD — verify auth INSIDE here means upgrade already succeeded
if (!req.headers.cooki