Blog

WebSocket subprotocols: CORS-like origin checks on the upgrade handshake, Sec-WebSocket-Protocol, and cookies

The WebSocket handshake starts with HTTP headers including Origin—servers must validate before accepting the upgrade.

Published: 2028-02-02Updated: 2028-02-041 min read

websocketcorsnetworking

Proxies

Some proxies strip Upgrade headers—health checks should fail closed when WebSocket cannot be negotiated.

Nginx `map` directives can route WS separately from REST CORS—document both paths.

Sticky sessions help when connection state lives on one node—misaligned sticky keys look like random disconnects, not CORS.

Backpressure on message queues can delay heartbeats—tune timeouts independently of CORS.