Skip to main content

Cleartext Transmission of Sensitive Information in the websockets-client Module​

📐 PY530
đŸˇī¸ cleartext_transmission
â„šī¸ CWE-319
âš ī¸ Warning
🔒 Professional Plan

This rule detects the usage of insecure WebSocket connections in Python code. WebSocket connections initiated with the ws:// scheme are not encrypted, which can expose the communication to eavesdropping and tampering.

Example​

import websocket


ws = websocket.WebSocket()
ws.connect("ws://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

Remediation​

Replace the ws:// scheme with wss:// in the WebSocket connection URI to ensure the connection is encrypted.

import websocket


ws = websocket.WebSocket()
ws.connect("wss://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

False Positives​

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY530) or rule category name (cleartext_transmission).

Fix Iconfix
import websocket


ws = websocket.WebSocket()
# suppress: PY530
ws.connect("ws://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

See also​