Protecting WebSocket Protocol Apps and APIs with Fastly

The 4.2 release of the Fastly agent introduces WebSocket traffic inspection, enabling customers to extend the coverage of applications, APIs, and microservices protected by Fastly’s Next-Gen WAF to apps and services that utilize the WebSockets protocol. Rarely found in traditional WAF solutions, WebSocket traffic inspection and malicious request blocking is yet another example of how Fastly technology stands apart and truly empowers customers to protect any app or API from any web attack. But first…

What are WebSockets?

WebSockets are an alternative communications protocol to HTTP that allows for bi-directional, real-time communication between a client and server via a persistent channel. The HTTP protocol operates in a request/response fashion, which can cause headaches (e.g., constant polling, HTTP request header overhead, etc.) when trying to implement applications that require real-time communication, e.g., a chat application or multiplayer gaming server. WebSockets are also seeing adoption in Internet of Things (IoT) services and are increasingly becoming part of the portfolio of apps and services security and DevOps teams must secure.

New Protocol, Same Vulnerabilities

The WebSocket protocol can be used to transmit binary and text-based payloads and, as such, is still vulnerable to injection-based attacks like SQL injection and Cross-Site Scripting (XSS). The protocol ensures that a connection between a client and server persists and communications occur in real time; bad actors can still use this protocol to transmit malicious code to steal or deface your data, or worse.

WebSocket Protection in Fastly Next-Gen WAF

Configuring WebSocket Inspection

The Fastly agent can be configured to act as a reverse proxy, fronting your apps and APIs, and in that configuration, be set to inspect WebSocket traffic in addition to HTTP. A third-party reverse proxy or load balancer isn’t required! Setting up WebSocket inspection is a straightforward two-step process:

  1. Deploy the Fastly agent as a reverse proxy to your WebSocket app or API

  2. Set the agent configuration to enable WebSocket inspection

At this point, the  Next-Gen WAF will automatically inspect any incoming WebSocket request with a text-based payload for any malicious attacks or anomalies and, based on your rules, flag or block the connection.

Creating Rules for WebSocket Traffic

Power Rules provide users with a flexible way to customize what types of requests/attacks/anomalies the Next-Gen WAF should flag or block without the need for regex or scripting. Parameters and values passed in WebSockets can be referenced in power rules exactly as it’s currently done for JSON POST bodies sent over HTTP. The official documentation provides an example and details of how this is accomplished in the console.

Blocking Malicious WebSocket Traffic

Power Rules provide the ability to specify an action when a request is seen that matches the conditions in the rule. Typical actions for requests that match a rule are: allow, tag, or block. WebSocket inspection takes advantage of the same actions:  when a “block” action is effected, the Next-Gen WAF will close the connection.

As application development teams continue to move fast to deliver the best experiences possible to their customers, it’s incumbent upon them to adopt new technologies that make that outcome possible. Fastly is devoted to ensuring Security teams aren’t left behind and have the best tools to protect the applications their dev teams build and improve upon daily. Interested in learning more? Sign up for a demo!


2 min read

Want to continue the conversation?
Schedule time with an expert
Share this post

Ready to get started?

Get in touch or create an account.