Is it possible to force socket.io to use wss instead of ws, without having to change to https?

Kitanga Nday picture Kitanga Nday · Jan 2, 2017 · Viewed 16.6k times · Source

I have been trying to setup a server where users can send sign in using websockets, but I don't want to do this using ws. I want to be able turn on wss without having https. Sadly, there aren't any options to do this. And so the question is how would one do this on the client side without using https protocol.

Answer

Brilliand picture Brilliand · Sep 8, 2017

Yes, this is possible. To do this, pass your websocket URL to the socket.io client directly, like this:

var socket = io('wss://example.com/');

Note that the reverse is not possible: while there's nothing to prevent HTTP pages from creating WSS connections, most browsers today block any WS connection from an HTTPS page to enforce the heightened security.

I would also caution that a websocket opened over WSS is still no more secure than the page it originated from. If you're using WSS for its security benefits, be advised that all that security could be for naught if an attacker overrides your page at the time that it's loaded (which HTTPS would prevent).