Blog

WebSocket handshakes: Origin header checks complement CORS for long-lived sessions

Browsers send Origin on WS upgrade; servers should validate it even when REST endpoints already use CORS.

Published: 2025-12-08Updated: 2025-12-101 min read

websocketsecurityorigin

Differences from HTTP CORS

There is no preflight for WebSocket in the same shape as fetch; rely on explicit Origin checks in code.

Cookies may ride the handshake—decide SameSite and credential policies consistently with your REST API.

Log close codes when clients disconnect after failed origin checks to spot misconfigured frontends.

Use subprotocol negotiation for feature flags without leaking internal header names.