Web Security Service block for Websocket traffic
search cancel

Web Security Service block for Websocket traffic


Article ID: 201849


Updated On:


Cloud Secure Web Gateway - Cloud SWG


A number of internal users should be allowed to access WebSocket based applications, yet most should be blocked.

Can define a policy that blocks access to each domain, but wanted a more generic rule to block all web socket based applications

Every policy change made allowed all users to access websocket applications instead of blocking 



WSS access via WSSA and Explicit

Have Management Center for configuration and using VPE for creating rules 


1. Must make sure that SSL interception is enabled for all Websocket sites and

2. Modified CPL to add force_deny on the http.websocket check as shown below 

http.websocket=yes force_deny

Additional Information

From the Content Policy Language reference guide, the following http.websocket check can be used to determine whether a web socket upgrade in existing request is happening.


The WebSocket protocol provides simultaneous two-way communications channels over a single TCP connection by detecting the presence of a proxy server and tunneling communications through the proxy. To upgrade an HTTP connection to a newer HTTP version or use another protocol such as WebSocket, a client sends a request with Upgrade, Connection, and other relevant headers. Previous versions of SGOS did not allow WebSocket handshakes to complete, but supported versions allow the handshake to complete successfully. Supported versions also detect WebSocket traffic and allow you to perform specific policy actions.



Layer and Transaction Notes

• Use in , , and layers.
• Applies to HTTP and HTTPS transactions.

See Also
• Conditions: client.protocol=


The following example blocks all WebSocket traffic to testsite.com. url.domain=testsite.com http.websocket=yes DENY

url.domain=testsite.com http.websocket=yes DENY