The HTTPSec-WebSocket-Keyrequest header is used in theWebSocket openinghandshake to allow a client (user agent) to confirm that it "really wants" to request that an HTTP client is upgraded to become a WebSocket.

The value of the key is computed using an algorithm defined in the WebSocket specification, so thisdoes not provide security.Instead, it helps to prevent non-WebSocket clients from inadvertently, or through misuse, requesting a WebSocket connection.

This header is automatically added by user agents when a script opens a WebSocket; it cannot be added using thefetch() orXMLHttpRequest.setRequestHeader() methods.

The server'sSec-WebSocket-Accept response header should include a value computed based upon the specified key value.The user agent can then validate this before this before confirming the connection.

This page was last modified onJul 4, 2025 byMDN contributors.