Does it automatically fix security issues?

It identifies vulnerabilities and provides concrete fix suggestions with code diffs when possible, though manual review is recommended for security-critical changes.

What is CSWSH and does this skill detect it?

Cross-Site WebSocket Hijacking (CSWSH) occurs when a server fails to validate the Origin header during a handshake. This skill specifically checks for missing origin validation to prevent unauthorized cross-site connections.

How does it check for authentication?

It analyzes the HTTP upgrade handshake logic to verify that session cookies, JWTs, or other auth tokens are being validated before a connection is established.

Can I use this with Socket.io?

Yes, the skill is designed to recognize security patterns for Socket.io as well as native WebSocket and other common library implementations.

WebSocket Security Auditor

Name: WebSocket Security Auditor
Author: florianbuetow

byflorianbuetow

•

Security & Testing

Analyzes WebSocket implementations for security vulnerabilities like CSWSH, missing authentication, and inadequate message validation.

This skill provides a comprehensive security audit for WebSocket-based applications, scanning for common vulnerabilities such as Cross-Site WebSocket Hijacking (CSWSH), unauthenticated handshakes, and missing input validation. It evaluates server configurations and message handlers to ensure persistent, bidirectional communication channels are properly secured with encryption, rate limiting, and robust origin checks. By tracing message flows and verifying transport security, it helps developers harden their real-time communication infrastructure against sophisticated attacks.

Key Features

01Checks for rate limiting to prevent message flooding and DoS

02Validates message schemas and input sanitization in event handlers

03Detects Cross-Site WebSocket Hijacking (CSWSH) vulnerabilities

046 GitHub stars

05Ensures the use of encrypted 'wss://' protocols in production environments

06Verifies authentication during the WebSocket upgrade handshake

Use Cases

01Identifying missing origin checks in Socket.io or native WS implementations

02Auditing an existing WebSocket server for security compliance

03Tracing message flows to ensure proper authorization per event type

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code websocket

For use in Claude.ai and ChatGPT

Download Skill