Sec-WebSocket-Key

The HTTP Sec-WebSocket-Key request header sends a base64-encoded random value during the WebSocket opening handshake to establish a secure bidirectional connection.

Baseline: Widely available

Supported across all major browsers. webstatus.dev

Table of Contents

Usage

The Sec-WebSocket-Key header is part of the WebSocket protocol upgrade mechanism. When a client initiates a WebSocket connection, the browser generates a 16-byte random value, encodes the value using base64, and sends the result in this header.

The server combines the received key with a fixed GUID string (258EAFA5-E914-47DA-95CA-C5AB0DC85B11), applies a SHA-1 hash, and returns the base64-encoded hash in the Sec-WebSocket-Accept response header. This process proves the server understands the WebSocket protocol and prevents accidental acceptance by HTTP servers.

The handshake requires an Upgrade header set to websocket and a Connection header set to Upgrade. Together with Sec-WebSocket-Key, these HTTP headers transform a standard HTTP connection into a persistent WebSocket channel supporting real-time bidirectional communication.

Values

Base64-encoded 16-byte random value

The value is a base64-encoded string representing 16 bytes of random data generated by the client. Each connection uses a fresh random value.

Example

A browser initiating a WebSocket connection to a chat server sends a random key. The server validates the handshake by computing the correct Sec-WebSocket-Accept value.

GET /chat HTTP/1.1
Host: example.re
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

The server responds with the computed accept hash, completing the upgrade.

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Takeaway

The Sec-WebSocket-Key header provides a handshake nonce for validating WebSocket protocol upgrades between clients and servers.

See also

Last updated: March 6, 2026