Sec-WebSocket-Key
The HTTP Sec-WebSocket-Key request header carries a base64-encoded random nonce during the WebSocket opening handshake, preventing accidental HTTP-to-WebSocket upgrades.
Baseline: Widely available
Supported across all major browsers. webstatus.dev
Usage
The Sec-WebSocket-Key header is part of the WebSocket protocol upgrade mechanism. When a client initiates a WebSocket connection, the browser generates a 16-byte random value, encodes the value using base64, and sends the result in this header.
The server combines the received key with a fixed GUID string
(258EAFA5-E914-47DA-95CA-C5AB0DC85B11), applies a SHA-1 hash, and
returns the base64-encoded hash in the
Sec-WebSocket-Accept response header. This
process proves the server understands the WebSocket protocol and
prevents accidental acceptance by HTTP servers.
The handshake requires an Upgrade header set to websocket
and a Connection header set to Upgrade. Together with
Sec-WebSocket-Key, these HTTP headers transform a
standard HTTP connection into a persistent WebSocket channel supporting
real-time bidirectional communication.
Values
Base64-encoded 16-byte random value
The value is a base64-encoded string representing 16 bytes of random data generated by the client. Each connection uses a fresh random value.
Example
A browser initiating a WebSocket connection to a chat server sends a random key. The server validates the handshake by computing the correct Sec-WebSocket-Accept value.
GET /chat HTTP/1.1
Host: example.re
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
The server responds with the computed accept hash, completing the upgrade.
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
See also
- RFC 6455: The WebSocket Protocol
- Sec-WebSocket-Accept
- Sec-WebSocket-Protocol
- Upgrade
- Connection
- Protocol-Upgrade
- Ws
- Wss
- HTTP headers