Sec-WebSocket-Accept Header

Table of Content

  • Syntax
  • Directives
  • Examples
  • Browser Compatibility
  • How to modify Sec-WebSocket-Accept header The Sec-WebSocket-Accept header is part of the WebSocket protocol, it is used to validate a WebSocket connection. Essentially, during the handshake process when establishing a WebSocket connection, the client sends a Sec-WebSocket-Key header to the server. The server then appends a specific GUID (Globally Unique Identifier) string to this key, hashes it with SHA-1, and then base64 encodes that hash. This value is sent back to the client in the Sec-WebSocket-Accept header. If the client verifies this header successfully, the WebSocket connection is established.


Sec-WebSocket-Accept: <hashed value of client key>


The Sec-WebSocket-Accept header has no directive as such, but merely contains the hashed and encoded value in response to the provided Sec-WebSocket-Key client header.


For instance, if the client sends a request with:

Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==

The server will respond with:

Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Sec-WebSocket-Accept header

While the Sec-WebSocket-Accept header might not be something you generally want to manipulate as it is calculated and verified by the client and server automatically, for testing and debugging purposes it might be useful. In Chrome, you can use the ModHeader extension to alter Chrome's headers.

  1. After installing ModHeader, click on the ModHeader icon and add a new header.

  2. Set 'Name' as 'Sec-WebSocket-Accept', and 'Value' as your desired value.

Please note manipulating Sec-WebSocket-Accept may cause the connection to fail if the client is unable to verify the handshake.