Cleartext Transmission of Sensitive Information in the websockets-client Module

📐 PY530

🏷️ cleartext_transmission

ℹ️ CWE-319

⚠️ Warning

🔒 Professional Plan

---

This rule detects the usage of insecure WebSocket connections in Python code. WebSocket connections initiated with the ws:// scheme are not encrypted, which can expose the communication to eavesdropping and tampering.

Example

import websocket


ws = websocket.WebSocket()
ws.connect("ws://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

Remediation

Replace the ws:// scheme with wss:// in the WebSocket connection URI to ensure the connection is encrypted.

import websocket


ws = websocket.WebSocket()
ws.connect("wss://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY530) or rule category name (cleartext_transmission).

Using rule ID

fix

import websocket


ws = websocket.WebSocket()
# suppress: PY530
ws.connect("ws://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

Using category name

fix

import websocket


ws = websocket.WebSocket()
# suppress: cleartext_transmission
ws.connect("ws://echo.websocket.events")
ws.send("Hello, Server")
ws.close()

See also

info

• websockets documentation
• Writing WebSocket client applications - Web APIs _ MDN
• CWE-319: Cleartext Transmission of Sensitive Information