Blog

GraphQL subscriptions over WebSocket: CORS on HTTP does not cover the socket upgrade

Apollo and similar clients open a WS connection with protocols; validate Origin on the upgrade handler.

Published: 2026-03-08Updated: 2026-03-101 min read

graphqlsubscriptionswebsocketcors

Dual policies

REST endpoints may allow one set of origins while the subscription server needs the same list on WS.

BFFs that multiplex HTTP and WS behind one domain simplify this alignment.

Sticky sessions or pub/sub backplanes affect reconnect storms—rate limit per IP during outages.

Monitor close codes 1008 policy violations separately from CORS-like rejections.