security.rst (1370B)
1 Security 2 ======== 3 4 Encryption 5 ---------- 6 7 For production use, a server should require encrypted connections. 8 9 See this example of :ref:`encrypting connections with TLS 10 <secure-server-example>`. 11 12 Memory usage 13 ------------ 14 15 .. warning:: 16 17 An attacker who can open an arbitrary number of connections will be able 18 to perform a denial of service by memory exhaustion. If you're concerned 19 by denial of service attacks, you must reject suspicious connections 20 before they reach websockets, typically in a reverse proxy. 21 22 With the default settings, opening a connection uses 70 KiB of memory. 23 24 Sending some highly compressed messages could use up to 128 MiB of memory with 25 an amplification factor of 1000 between network traffic and memory usage. 26 27 Configuring a server to :doc:`optimize memory usage <memory>` will improve 28 security in addition to improving performance. 29 30 Other limits 31 ------------ 32 33 websockets implements additional limits on the amount of data it accepts in 34 order to minimize exposure to security vulnerabilities. 35 36 In the opening handshake, websockets limits the number of HTTP headers to 256 37 and the size of an individual header to 4096 bytes. These limits are 10 to 20 38 times larger than what's expected in standard use cases. They're hard-coded. 39 40 If you need to change these limits, you can monkey-patch the constants in 41 ``websockets.http11``.