WebSockets are a mechanism that allow a client (typically a web page) to
talk to a server without the overhead and complications that web
services may pose. The client first establishes a connection using http
and then makes a request to switch over to websockets; the process is
described in RFC 6455 <https://tools.ietf.org/html/rfc6455>__. Using
this technology simplifies development of elaborate web based clients
and reduces web traffic, which is pretty sweet for developed and admins
alike
Unfortunately, not properly securing websockets is pretty sweet for attackers, and can lead to information leakage or, in extreme cases, code execution on the server. If you’re used to setting up authentication using a framework and letting things rub on their own, you will have to rethink your strategy; and if you plan on doing something like piping your users’ input to another library or executable, be particularly careful about sanitizing it! While the way to a man’s heart is through his stomach, the way to a server’s heart is through user inputs.