Using sockets is security-sensitive. It has led in the past to the following vulnerabilities:

Sockets are vulnerable in multiple ways:

This rules flags code that creates sockets. It matches only the direct use of sockets, not use through frameworks or high-level APIs such as the use of http connections.

Ask Yourself Whether

You are at risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

Questionable Code Example

const net = require('net');

var socket = new net.Socket(); // Questionable
socket.connect(80, 'google.com');

// net.createConnection creates a new net.Socket, initiates connection with socket.connect(), then returns the net.Socket that starts the connection
net.createConnection({ port: port }, () => {}); // Questionable

// net.connect is an alias to net.createConnection
net.connect({ port: port }, () => {}); // Questionable

See