WebRTC Security:How to Keep Calls and Data Safe
WebRTC is the technology behind browser video calls, screen sharing, and live data channels, with no plugin needed. It is powerful because the media can travel directly between users, but that same power means there are servers and channels you must secure. This guide explains WebRTC security in plain language. It maps to chapter V17 of the OWASP standard, which you can explore in the ASVS Explorer.
What Are the Parts of a WebRTC Connection?
To secure WebRTC, it helps to know its three moving parts. Each one is a place where security matters.
| Part | What it does | Security concern |
|---|---|---|
| Signaling | Helps two users find each other and agree how to connect, before media flows. | Must be encrypted and validated, or an attacker can hijack or redirect the call. |
| STUN and TURN | Help users connect across firewalls. TURN relays the media when a direct link is not possible. | TURN servers can be abused as free bandwidth if left open and unauthenticated. |
| Media and data | The actual audio, video, and data channels between users. | Encrypted by default in WebRTC, but the keys are only as safe as the signaling that set them up. |
Is WebRTC Media Encrypted by Default?
Yes. WebRTC requires encryption for media and data, using DTLS and SRTP, so audio, video, and data channels are protected as they travel between users. This is a real strength, and you cannot turn it off. But there is a catch. The encryption keys are exchanged during the signaling step, so if your signaling channel is not secure, an attacker could step in during setup and take part in the call. In other words, encrypted media still depends on secure signaling.
How Do You Secure the Signaling Channel?
Signaling is not defined by WebRTC itself, so you build it, usually over WebSockets or HTTPS. That means securing it is your job. Serve signaling over an encrypted connection (wss or https), never plain text. Require users to be logged in and authorized before they can start or join a session, so a stranger cannot insert themselves. And validate every signaling message, because messages that are trusted without checks can be used to redirect a call or crash the service. This overlaps with our guide on browser security and general input validation.
Why Are TURN Servers a Target?
A TURN server relays media when two users cannot connect directly, which means it moves a lot of bandwidth. If your TURN server is open to anyone, attackers will find it and use it as a free relay for their own traffic, which costs you money and can drag your service into abuse. Worse, a poorly configured TURN server can sometimes be tricked into reaching internal systems on your network. The fix is to require authentication for every TURN user, hand out short lived credentials from your own backend rather than a shared static password, and limit what the server is allowed to reach.
Can WebRTC Leak a User's IP Address?
Yes, and it is worth knowing about. To find the best path between users, WebRTC gathers network addresses, and this process can reveal a user's real IP address even when they use some privacy tools. For most apps this is expected behavior, since the whole point is to connect users. But if your product makes privacy promises, be honest about it, and consider routing media through a TURN server so users share the server's address rather than their own. Tell users what to expect rather than surprising them.
WebRTC Security Checklist
- 1Serve signaling only over encrypted channels (wss or https), never plain text.
- 2Require login and authorization before a user can start or join a session.
- 3Validate every signaling message and reject anything unexpected.
- 4Require authentication for TURN, using short lived credentials from your backend.
- 5Limit what your TURN server can reach so it cannot touch internal systems.
- 6Rate limit session creation and relay usage to prevent abuse.
- 7Be clear with users about network address exposure and route through TURN if privacy is promised.
- 8Keep your WebRTC and signaling libraries up to date.