Sec-WebSocket-Key header
        
        
          
                Baseline
                
                  Widely available
                
                
              
        
        
        
          
                
              
                
              
                
              
        
        
      
      This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
The HTTP Sec-WebSocket-Key request header is used in the WebSocket opening handshake to allow a client (user agent) to confirm that it "really wants" to request that an HTTP client is upgraded to become a WebSocket.
The value of the key is computed using an algorithm defined in the WebSocket specification, so this does not provide security. Instead, it helps to prevent non-WebSocket clients from inadvertently, or through misuse, requesting a WebSocket connection.
This header is automatically added by user agents when a script opens a WebSocket; it cannot be added using the fetch() or XMLHttpRequest.setRequestHeader() methods.
The server's Sec-WebSocket-Accept response header should include a value computed based upon the specified key value.
The user agent can then validate this before this before confirming the connection.
| Header type | Request header | 
|---|---|
| Forbidden request header | Yes ( Sec-prefix) | 
Syntax
Sec-WebSocket-Key: <key>
Directives
- <key>
- 
The key for this request to upgrade. This is a randomly selected 16-byte nonce that has been base64-encoded and isomorphic encoded. The user agent adds this when initiating the WebSocket connection. 
Examples
>WebSocket opening handshake
The client will initiate a WebSocket handshake with a request like the following.
Note that this starts as an HTTP GET request (HTTP/1.1 or later), in addition to Sec-WebSocket-Key, the request includes the Upgrade header, indicating the intent to upgrade from HTTP to a WebSocket connection.
GET /chat HTTP/1.1
Host: example.com:8000
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
The response from the server should include the Sec-WebSocket-Accept header with a value that is calculated from the Sec-WebSocket-Key header in the request, and confirms the intent to upgrade the connection to a WebSocket connection:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Specifications
| Specification | 
|---|
| The WebSocket Protocol> # section-11.3.1> | 
Browser compatibility
Loading…