Sec-WebSocket-Key

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.

The HTTP Sec-WebSocket-Key request header is used in the WebSocket opening handshake to allow a client (user agent) to confirm that it "really wants" to request that an HTTP client is upgraded to become a WebSocket.

The value of the key is computed using an algorithm defined in the WebSocket specification, so this does not provide security. Instead, it helps to prevent non-WebSocket clients from inadvertently, or through misuse, requesting a WebSocket connection.

This header is automatically added by user agents when a script opens a WebSocket; it cannot be added using the fetch() or XMLHttpRequest.setRequestHeader() methods.

The server's Sec-WebSocket-Accept response header should include a value computed based upon the specified key value. The user agent can then validate this before this before confirming the connection.

Header type Request header
Forbidden header name Yes (Sec- prefix)

Syntax

http
Sec-WebSocket-Key: <key>

Directives

<key>

The key for this request to upgrade. This is a randomly selected 16-byte nonce that has been base64-encoded and isomorphic encoded. The user agent adds this when initiating the WebSocket connection.

Examples

WebSocket opening handshake

The client will initiate a WebSocket handshake with a request like the following. Note that this starts as an HTTP GET request (HTTP/1.1 or later), in addition to Sec-WebSocket-Key, the request includes the Upgrade header, indicating the intent to upgrade from HTTP to a WebSocket connection.

http
GET /chat HTTP/1.1
Host: example.com:8000
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

The response from the server should include the Sec-WebSocket-Accept header with a value that is calculated from the Sec-WebSocket-Key header in the request, and confirms the intent to upgrade the connection to a WebSocket connection:

http
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Specifications

Specification
The WebSocket Protocol
# section-11.3.1

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
Sec-WebSocket-Key

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support

See also