Security
********


Memory use
==========

Warning: An attacker who can open an arbitrary number of connections
  will be able to perform a denial of service by memory exhaustion. If
  you're concerned by denial of service attacks, you must reject
  suspicious connections before they reach "websockets", typically in
  a reverse proxy.

The baseline memory use for a connection is about 20kB.

The incoming bytes buffer, incoming messages queue and outgoing bytes
buffer contribute to the memory use of a connection. By default, each
bytes buffer takes up to 64kB and the messages queue up to 128MB,
which is very large.

Most applications use small messages. Setting "max_size" according to
the application's requirements is strongly recommended. See Buffers
for details about tuning buffers.

When compression is enabled, additional memory may be allocated for
carrying the compression context across messages, depending on the
context takeover and window size parameters. With the default
configuration, this adds 320kB to the memory use for a connection.

You can reduce this amount by configuring the "PerMessageDeflate"
extension with lower "server_max_window_bits" and
"client_max_window_bits" values. These parameters default is 15.
Lowering them to 11 is a good choice.

Finally, memory consumed by your application code also counts towards
the memory use of a connection.


Other limits
============

"websockets" implements additional limits on the amount of data it
accepts in order to minimize exposure to security vulnerabilities.

In the opening handshake, "websockets" limits the number of HTTP
headers to 256 and the size of an individual header to 4096 bytes.
These limits are 10 to 20 times larger than what's expected in
standard use cases. They're hard-coded. If you need to change them,
monkey-patch the constants in "websockets.http".
