Sec-WebSocket-Accept
The HTTP Sec-WebSocket-Accept response header confirms the server's agreement to open a WebSocket connection by returning a computed hash of the client's handshake key.
Baseline: Widely available
Supported across all major browsers. webstatus.dev
Usage
The Sec-WebSocket-Accept header is part of the
WebSocket opening handshake. When a
client sends a Sec-WebSocket-Key
header containing a random base64-encoded nonce, the server
computes a response by concatenating the received key with
the fixed GUID 258EAFA5-E914-47DA-95CA-C5AB0DC85B11,
hashing the result with SHA-1, and encoding the hash in
base64. The server returns this computed value in the
Sec-WebSocket-Accept header as part of a 101
Switching Protocols response.
This exchange proves the server understands the WebSocket protocol. A regular HTTP server receiving a WebSocket Upgrade request by accident does not compute the correct hash, causing the client to abort the connection. The mechanism prevents accidental protocol mismatches without providing cryptographic security.
The server response also includes an Upgrade
header set to websocket and a Connection
header set to Upgrade. Optional headers like
Sec-WebSocket-Extensions,
Sec-WebSocket-Protocol, and
Sec-WebSocket-Version negotiate
extensions, subprotocols, and protocol versions during the
same handshake.
Values
Base64-encoded SHA-1 hash
The value is a base64-encoded string produced by hashing the concatenation of the client's Sec-WebSocket-Key and the fixed WebSocket GUID with SHA-1. Each handshake produces a different value because each client key is randomly generated.
Example
A client initiates a WebSocket connection by sending the upgrade request with a random key.
GET /chat HTTP/1.1
Host: example.re
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
The server computes the accept hash from the client key and responds with a 101 status, confirming the upgrade.
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
The value s3pPLMBiTxaQ9kYGzzhZRbK+xOo= is the
base64-encoded SHA-1 hash of the client key
dGhlIHNhbXBsZSBub25jZQ== concatenated with the
WebSocket GUID.
Takeaway
The Sec-WebSocket-Accept header completes the WebSocket handshake by returning a computed hash of the client's key, confirming the server supports the WebSocket protocol and is ready for bidirectional communication.
See also
- RFC 6455: The WebSocket Protocol
- Sec-WebSocket-Key
- Sec-WebSocket-Extensions
- Sec-WebSocket-Protocol
- Sec-WebSocket-Version
- Upgrade
- Connection
- Ws
- HTTP headers