DEV Community: K.R Yashwanth reddy The latest articles on DEV Community by K.R Yashwanth reddy (@kr_yashwanthreddy_f5b78). https://dev.to/kr_yashwanthreddy_f5b78 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3883618%2F3d4dcfef-592e-421b-964c-d3f42564c4b8.jpg DEV Community: K.R Yashwanth reddy https://dev.to/kr_yashwanthreddy_f5b78 en WebSocket Authentication Deep Dive — Tokens, Stateful Connections, and the CORS Bypass Nobody Warns You About K.R Yashwanth reddy Tue, 09 Jun 2026 06:13:13 +0000 https://dev.to/kr_yashwanthreddy_f5b78/websocket-authentication-deep-dive-tokens-stateful-connections-and-the-cors-bypass-nobody-warns-4pap https://dev.to/kr_yashwanthreddy_f5b78/websocket-authentication-deep-dive-tokens-stateful-connections-and-the-cors-bypass-nobody-warns-4pap <h1> WebSocket Authentication Deep Dive — Tokens, Stateful Connections, and the CORS Bypass Nobody Warns You About </h1> <p>WebSockets are powerful. They enable real-time, bidirectional communication between a client and a server — perfect for chat apps, live dashboards, collaborative tools, and more. But when it comes to <strong>authentication</strong>, they behave quite differently from regular HTTP requests, and those differences can introduce subtle security vulnerabilities if you're not careful.</p> <p>In this post, I'll walk through:</p> <ul> <li>The three main ways to authenticate HTTP requests</li> <li>Why some of them simply don't work for WebSockets</li> <li>The right approach for WebSocket authentication</li> <li>A sneaky CORS bypass that most tutorials completely skip over</li> </ul> <p>I'll be using the <code>ws</code> library for backend examples. If you're using <code>socket.io</code>, the abstraction layer handles some of this, but the core concepts — and the vulnerabilities — remain the same.</p> <h2> How Do We Authenticate Regular HTTP Requests? </h2> <p>Before jumping to WebSockets, let's recap the three standard ways to pass authentication tokens in a regular HTTP request.</p> <h3> 1. Cookies </h3> <p>Cookies are one of the most secure options. You can store JWT tokens in <code>HttpOnly</code> cookies, which means JavaScript on the page can't access them, offering solid protection against XSS attacks.</p> <p><strong>The trade-off:</strong> Cookies aren't cache-friendly. CDN services like Cloudflare typically cache responses based on the URL, not cookie content. This can cause caching issues in some architectures.</p> <h3> 2. URL Parameters (Path &amp; Query) </h3> <p>Tokens can travel through the URL itself — as either a <strong>path parameter</strong> or a <strong>query parameter</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Path parameter GET https://api.example.com/data/user123 # Query parameter GET https://api.example.com/data?token=abc123&amp;filter=active </span></code></pre> </div> <p>Path parameters are typically used for resource identification and content segregation. Query parameters are more flexible and can carry many conditional fields.</p> <p>Both are part of the URL, which means they can show up in browser history, server logs, and CDN caches — making them less ideal for sensitive tokens in general HTTP contexts.</p> <h3> 3. Authorization Header </h3> <p>The most widely used approach for API authentication. You attach a header directly to the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/api/resource</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">yourserver.com</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s">Bearer &lt;your_jwt_token&gt;</span> </code></pre> </div> <p>This is clean, not part of the URL, and supported by every auth service and framework you'll encounter — Clerk, Auth0, Firebase Auth, custom JWT setups, you name it.</p> <h2> How Does a WebSocket Connection Work? </h2> <p>A WebSocket connection doesn't start from scratch — it <strong>upgrades</strong> an existing HTTP connection. Here's the flow:</p> <ol> <li>The client (browser) sends a special HTTP request with an <code>Upgrade: websocket</code> header.</li> <li>The server recognizes the request and, if it accepts, responds with a <strong><code>101 Switching Protocols</code></strong> status code.</li> <li>The TCP connection stays open and both client and server can now exchange messages freely and efficiently. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client Server | | | GET /ws HTTP/1.1 | | Upgrade: websocket | | Connection: Upgrade | | Sec-WebSocket-Key: xyz... | |---------------------------------&gt; | | | | HTTP/1.1 101 Switching Protocols | | Upgrade: websocket | | Connection: Upgrade | | &lt;---------------------------------| | | | &lt;==== WebSocket frames ====&gt; | </code></pre> </div> <p>One critical property of WebSockets: they are <strong>stateful</strong>. Unlike HTTP — where the server forgets you the moment the response is sent — a WebSocket connection remembers who you are for the entire duration of the connection. This has major implications for authentication.</p> <h2> The WebSocket Authentication Problem </h2> <p>Here's where things get tricky. The browser's native <strong>WebSocket API</strong> — the one your frontend uses to initiate a connection — is quite restrictive:</p> <blockquote> <p><strong>You cannot add custom headers or a body to the WebSocket handshake request.</strong></p> </blockquote> <p>This is a browser-level limitation. When you call <code>new WebSocket(url)</code>, the browser constructs and sends the upgrade request on your behalf, and it does not expose a way to inject custom headers.</p> <p>This immediately rules out the <strong>Authorization header</strong> approach.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ This does NOT work in a browser</span> <span class="kd">const</span> <span class="nx">ws</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebSocket</span><span class="p">(</span><span class="dl">'</span><span class="s1">wss://yourserver.com/ws</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer your_token_here</span><span class="dl">'</span> <span class="c1">// Browsers ignore this</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>So where does that leave us? We're back to <strong>cookies</strong> or <strong>URL parameters</strong>. Both work — cookies are sent automatically with the upgrade request since it's still an HTTP request underneath. But for simplicity and flexibility (especially when working with JWTs from services like Clerk), <strong>passing the token as a query parameter</strong> is the most practical and widely adopted approach.</p> <h2> The Solution: Token as a Query Parameter </h2> <h3> Frontend </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Get the token from your auth provider or local storage</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">auth_token</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Pass it as a query parameter in the WebSocket URL</span> <span class="kd">const</span> <span class="nx">ws</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebSocket</span><span class="p">(</span><span class="s2">`wss://yourserver.com/ws?token=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onopen</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">WebSocket connection established</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Message received:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="p">};</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onerror</span> <span class="o">=</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">WebSocket error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h3> Backend (using the <code>ws</code> library) </h3> <p>On the server, you extract the token from the URL during the initial <code>connection</code> event, verify it, and attach the user to the socket instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">WebSocket</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ws</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">wss</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nc">Server</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="mi">8080</span> <span class="p">});</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Step 1: Extract token from query params</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">).</span><span class="nx">query</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="mi">4001</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Unauthorized: No token provided</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Step 2: Verify the token</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="c1">// Step 3: Attach the verified user to the socket</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`User </span><span class="p">${</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2"> connected`</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="mi">4001</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Unauthorized: Invalid or expired token</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Step 4: Handle messages — no re-authentication needed</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Message from </span><span class="p">${</span><span class="nx">ws</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2">:`</span><span class="p">,</span> <span class="nx">message</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="c1">// ws.user is already verified and available here</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`User </span><span class="p">${</span><span class="nx">ws</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">userId</span><span class="p">}</span><span class="s2"> disconnected`</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Authentication Is Done Once — And That's by Design </h2> <p>Because WebSockets are <strong>stateful</strong>, authentication only happens once — at handshake time. The server verifies the token, attaches the user to the socket object, and then remembers that user for every message that follows. You do <strong>not</strong> need to re-authenticate on each message.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client Server | | | WS Handshake + ?token=abc123 | | ✅ Token verified | | ws.user = { id: 42, role: 'user'}| | &lt;---------------------------------| | | | "message: Hello" ------------&gt; | ← No re-auth needed | "message: How are you?" ------&gt; | ← ws.user still attached | "message: Update this" -------&gt; | ← ws.user still attached </code></pre> </div> <p>This works regardless of which auth provider you're using. The pattern is always the same: validate once, trust the session.</p> <blockquote> <p>⚠️ <strong>Token Expiry Note:</strong> If your JWT can expire <em>during</em> an active WebSocket session, you'll need a strategy for that. Options include: closing the connection when the token expires (and letting the client reconnect with a fresh one), or implementing a heartbeat mechanism where the client periodically sends a refreshed token over the socket.</p> </blockquote> <h2> The Hidden CORS Bypass — A Real Security Risk </h2> <p>This is the part most tutorials skip — and it's arguably the most important.</p> <p><strong>WebSocket upgrade requests do NOT go through your <code>cors()</code> middleware.</strong></p> <p>That <code>cors()</code> call in your Express app? The one that blocks requests from unknown origins? It <strong>does not apply to WebSocket connections</strong>. The WebSocket upgrade happens at the raw HTTP server level, before Express processes it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ This protects your REST API routes</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://yourfrontend.com</span><span class="dl">'</span> <span class="p">}));</span> <span class="c1">// ❌ This does NOT protect your WebSocket endpoint</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="p">...</span> <span class="p">});</span> </code></pre> </div> <p>What this means in practice: an attacker could write a script (not even a browser, just a raw Node.js/Python script) that establishes a WebSocket connection to your server from any origin — completely bypassing your CORS policy. If your only gating mechanism was origin-based, your server is open.</p> <h3> The Fix: Manually Validate the Origin Header </h3> <p>You need to manually check the <code>origin</code> header on every incoming WebSocket connection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ALLOWED_ORIGINS</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">https://yourfrontend.com</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://localhost:3000</span><span class="dl">'</span> <span class="c1">// for local development</span> <span class="p">];</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">origin</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// 1. Manual origin check — CORS middleware won't do this for you</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">origin</span> <span class="o">||</span> <span class="o">!</span><span class="nx">ALLOWED_ORIGINS</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">origin</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Rejected WebSocket connection from origin: </span><span class="p">${</span><span class="nx">origin</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="mi">4003</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Forbidden: Invalid origin</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 2. Token verification</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">).</span><span class="nx">query</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="mi">4001</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Unauthorized: No token provided</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="mi">4001</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Unauthorized: Invalid token</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Message from </span><span class="p">${</span><span class="nx">ws</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="s2">:`</span><span class="p">,</span> <span class="nx">message</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>For an even cleaner approach, you can intercept the upgrade at the raw HTTP server level — rejecting invalid connections before they even become WebSocket connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">http</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">WebSocket</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ws</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">http</span><span class="p">.</span><span class="nf">createServer</span><span class="p">(</span><span class="nx">app</span><span class="p">);</span> <span class="c1">// your Express app</span> <span class="kd">const</span> <span class="nx">wss</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nc">Server</span><span class="p">({</span> <span class="na">noServer</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// Intercept the HTTP upgrade request before it becomes a WebSocket</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">upgrade</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">socket</span><span class="p">,</span> <span class="nx">head</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">origin</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">origin</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ALLOWED_ORIGINS</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">origin</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Reject at the HTTP level — clean and early</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">HTTP/1.1 403 Forbidden</span><span class="se">\r\n\r\n</span><span class="dl">'</span><span class="p">);</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">handleUpgrade</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">socket</span><span class="p">,</span> <span class="nx">head</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ws</span><span class="p">,</span> <span class="nx">req</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">8080</span><span class="p">);</span> </code></pre> </div> <p>This is the cleanest pattern — invalid origins are rejected at the TCP socket level before any WebSocket logic runs.</p> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Auth Method</th> <th>Works for WebSockets?</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Authorization Header</td> <td>❌ No</td> <td>Browser WebSocket API doesn't allow custom headers</td> </tr> <tr> <td>Cookies</td> <td>✅ Yes</td> <td>Sent automatically; watch out for CSRF</td> </tr> <tr> <td>Query Parameters</td> <td>✅ Yes</td> <td>Most practical; token visible in URL/logs</td> </tr> <tr> <td>Path Parameters</td> <td>⚠️ Awkward</td> <td>Not conventional for auth tokens</td> </tr> </tbody> </table></div> <p>Here are the five things to walk away with:</p> <ol> <li> <strong>You cannot add custom headers</strong> to a WebSocket handshake from the browser — the native WebSocket API doesn't allow it, so the Authorization header approach is out.</li> <li> <strong>Pass the token as a query parameter</strong> in the WebSocket URL — it's the most practical and widely adopted approach.</li> <li> <strong>Authenticate once, at handshake time</strong> — because WebSockets are stateful, the server remembers the authenticated user. There's no need to re-authenticate on each message.</li> <li> <strong>Your initial auth must be airtight</strong> — since it's the only time authentication happens on that connection, make sure the token validation is solid.</li> <li> <strong>WebSocket requests bypass your <code>cors()</code> middleware</strong> — you <em>must</em> manually validate the <code>Origin</code> header on the server to prevent connections from unauthorized origins.</li> </ol> <p>If you're using <code>socket.io</code> instead of the raw <code>ws</code> library, some of this is handled by the abstraction — but the browser still uses the native WebSocket API underneath, so the CORS bypass and the query-param pattern still apply at the core level.</p> <p>Happy coding! 🚀</p> websockets javascript security authentication