'Blazor Server: Protect information in transit with HTTPS: Are WebSockets not secure enough?

Blazor Server development is great! One of my concerns is with the security of data being sent through SignalR/WebSockets.

From my understanding the communication between client and server is:

  1. Action is taken by user e.g. clicks button
  2. Javascript innovates the WebSocket communication with my server
  3. Server responds with data that I've returned
  4. Javascript changes the page (DOM)

From Chrome developer tools I can see this happening on the websocket i.e. wss://localhost/_blazor?id=XXXXXXXXXXXXXX. As the websocket is wss:// I thought communication was secure and ensured integrity and confidentiality e.g. man-in-the-middle attacks etc

So why has Microsoft advised to "Always user HTTPS" in their Blazor Server Threat Migration documentation?

Protect information in transit with HTTPS

Blazor Server uses SignalR for communication between the client and the server. Blazor Server normally uses the transport that SignalR negotiates, which is typically WebSockets.

Blazor Server doesn't ensure the integrity and confidentiality of the data sent between the server and the client. Always use HTTPS.

https://docs.microsoft.com/en-us/aspnet/core/blazor/security/server/threat-mitigation?view=aspnetcore-6.0#protect-information-in-transit-with-https

websocketsignalrblazorblazor-server-side


Solution 1:[1]

Thank you to Brennan for answering my question in the comments.

So why has Microsoft advised to "Always user HTTPS" in their Blazor Server Threat Migration documentation?

The warning is just general text. The two statements on the documentation are independent of each other.

The below explains the mechanism Blazor Server typically uses for communication between client and server i.e. WebSockets

Protect information in transit with HTTPS

Blazor Server uses SignalR for communication between the client and the server. Blazor Server normally uses the transport that SignalR negotiates, which is typically WebSockets.

The below states you should always use a secure protocol when communicating between client and server i.e. HTTPS

Blazor Server doesn't ensure the integrity and confidentiality of the data sent between the server and the client. Always use HTTPS.

I assumed Microsoft was referring to using standard API (HTTP/2) endpoints to ensure integrity and confidentiality. As Brennan pointed out - WebSockets is an extension of HTTP/1.1, and thus can use HTTPS.

Hopefully, this helps people in the future.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 James Sills

Related Questions

Could not decode a text frame as UTF-8.

How websockets can be faster than a simple HTTP request?

Node.js + Express.js (Connect) - Accessing Session from 'upgrade' event

HTTP simultaneous connections per host limit... are per tab, browser instance or global?

Gatling Websocket react on message

socket.io connection not working but new Websocket working

No suitable default RequestUpgradeStrategy found

Send cookies with socket.io-client

Laravel Echo + Laravel Passport auth in private / presence websockets channels

Reconnecting a websocket in Angular and rxjs?

Difference between websocket and websockets

websocket + vue :get error connecting to websocket

How to find ping/keepalive being sent in okhttp websockets

socket.io determine if a user is online or offline

Django websockets and channels group_send not working