Blog
WebSocket handshake versus HTTP CORS: what is validated where
WebSockets start with an HTTP Upgrade request; the Origin header participates in server acceptance policies.
1 min read
websocketcorshttp
Origin checks
Servers should validate Origin during the handshake similarly to CORS allowlists for HTTP APIs.
Proxies and load balancers must forward Upgrade and Connection headers end-to-end.
Operational monitoring
Track failed handshake attempts separately from message-level errors after the socket is open.
Alert on sudden spikes in 403 during upgrade from a new frontend deployment.