Secure websocket communication in Django


I’ve been playing around with the best approach to keep websocket messages secure in my webserver traffic.
For the most part, websocket traffic would originate from a known source to the client. There might be some communication back from the client user to the known (secure) source.

I’m using a Redis (AWS Elasticache) backend for channels.
Communication will primarily come from a python websockets connection.

At this point I’ve tested using a private token string within the websocket uri and using that to authenticate against a public key on the django server. However I’m not entirely sure what this is gaining me. I have my auth middleware stack set up to check against this private key and it seems to prevent any websocket from connect that doesnt have that private key.

This may keep the server safe from some sort of brute-force attack (maybe). However I don’t know that it’s keeping any of the websocket messages secure. That is to say can anyone intercept this websocket message and know what its carrying?

Is there a better way to go about making secure channels communication?


If you’re securing your original connection by using https, then your web socket connection should be made using wss.

Correct. It is wss.
Is this all that needs to happen then? I don’t need to bother trying to encrypt outgoing websocket messages in any way?

Correct. The protocol “wss” effectively means “websocket on https”. So it’s going to be encrypted (just like https) between ssl endpoints.