laegirl
Reputation: 305
Sec-WebSocket-Accept digest verification in the Client
Studying the WebSocket protocol a little bit and I am a little confused about the lack of mentioning any client verification of the digest that the server generates in Sec-WebSocket-Accept header.
- Client generates a b64 key and sends an upgrade GET request including the key on
Sec-WebSocket-Keyheader, along with the upgrade headers. - Server takes the key, appends
258EAFA5-E914-47DA-95CA-C5AB0DC85B11and computes a SHA-1 and b64s it back with the response headerSec-WebSocket-Acceptto the client with a 101.
In MDN there isn't any mention of the client verifying the digest that the server sent. I understand this header isn't a security feature, but just helps avoid connections made by mistake. I don't understand why you would not verify the digest on the client, to make sure the server computed a correct digest. Am I missing something here? What's the point of this header?
Upvotes: 0
Views: 13
Answers (1)
laegirl
Reputation: 305
From the WS spec:
If the |Sec-WebSocket-Accept| value does not match the expected
value, if the header field is missing, or if the HTTP status code is
not 101, the connection will not be established, and WebSocket frames
will not be sent.
So the client verifies the digest.
Thanks for coming to my ted talk
Upvotes: 0
Related Questions
- Error during WebSocket handshake: Incorrect 'Sec-WebSocket-Accept' header value with PHP
- Creating a WebSocket Client in Python
- Websocket Handshake Failed In Java
- I want to check "Sec-WebSocket-Accept" in client side
- Websocket version 8 Sec-WebSocket-Accept mismatch
- JavaScript and WebSockets: using specific protocol