Finding · flue

WebSocket security hardening: query string stripping and requestId validation

What Changed

Two security fixes: (1) Cloudflare WebSocket attachments strip query strings and fragments before persistence, preventing URL-carried handshake credentials from being retained. (2) Agent and workflow WebSocket frames reject blank or whitespace-only requestId values, including optional agent ping IDs.

Operator Implication

Operators should no longer pass sensitive credentials in WebSocket URLs as query parameters, relying instead on secure header-based auth.

Receipt

From CHANGELOG.md v0.9.1 (2026-06-02): 'Cloudflare WebSocket attachments strip query strings and fragments before persistence so URL-carried handshake credentia

Finding metadata

Confidence: high
Actionability: test
Accessibility impact: none

Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

Finding ID: 2026-06-02-flue-v091-websocket-security

Accepted signals

v0.9.1 strips WebSocket URL credentials and rejects blank requestIds · 2026-06-03

Source links

Primary links, including exact changelog lines when available.

Flue
release_noteFrom CHANGELOG.md v0.9.1 (2026-06-02): 'Cloudflare WebSocket attachments strip query strings and fragments before persistence so URL-carried handshake credentials are not retained.' and 'Agent and worwithastro/flue · CHANGELOG.md