HTTP headers in Websockets client API
Updated 2x
Short answer: No, only the path and protocol field can be specified.
Longer answer:
There is no method in the JavaScript WebSockets API for specifying additional headers for the client/browser to send. The HTTP path ("GET /xyz") and protocol header ("Sec-WebSocket-Protocol") can be specified in the WebSocket constructor.
The Sec-WebSocket-Protocol header (which is sometimes extended to be used in websocket specific authentication) is generated from the optional second argument to the WebSocket constructor:
var ws = new WebSocket("ws://example.com/path", "protocol");
var ws = new WebSocket("ws://example.com/path", ["protocol1", "protocol2"]);
The above results in the following headers:
Sec-WebSocket-Protocol: protocol
and
Sec-WebSocket-Protocol: protocol1, protocol2
A common pattern for achieving WebSocket authentication/authorization is to implement a ticketing system where the page hosting the WebSocket client requests a ticket from the server and then passes this ticket during WebSocket connection setup either in the URL/query string, in the protocol field, or required as the first message after the connection is established. The server then only allows the connection to continue if the ticket is valid (exists, has not been already used, client IP encoded in ticket matches, timestamp in ticket is recent, etc). Here is a summary of WebSocket security information: https://devcenter.heroku.com/articles/websocket-security
Basic authentication was formerly an option but this has been deprecated and modern browsers don't send the header even if it is specified.
Basic Auth Info (Deprecated - No longer functional):
NOTE: the following information is no longer accurate in any modern browsers.
The Authorization header is generated from the username and password (or just username) field of the WebSocket URI:
var ws = new WebSocket("ws://username:password@example.com")
The above results in the following header with the string "username:password" base64 encoded:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
I have tested basic auth in Chrome 55 and Firefox 50 and verified that the basic auth info is indeed negotiated with the server (this may not work in Safari).
Thanks to Dmitry Frank's for the basic auth answer
WebSockets and HTTP headers
Is it possible to alter WebSocket connection headers, after the
connection has been established?
You can't set a cookie upon receipt of a WebSocket message. Once the WebSocket connection has been established, it's an open TCP socket and the protocol is no longer http, thus there is no built-in way to exchange cookies.
You can use authorizathion on the first http request, where both sides establish protocol for exchange data.
How to set origin header to websocket client in Rust?
You can use a http::Request
instead of just a Url
:
use http::Request;
use tokio_tungstenite;
let request = Request::builder()
.uri("wss://server.example.com")
.header("Origin", "https://example.com")
.body(())?;
let (mut ws_remote, _) = tokio_tungstenite::connect_async(request).await?;
Send headers in Websockets connection request from Python client
According to documentation, you can pass headers in extra_headers
param of connect()
function. Details: https://websockets.readthedocs.io/en/stable/reference/client.html
So code should look something like this:
async def connect():
async with websockets.connect("wss://site.com/ws", extra_headers=headers) as websocket:
response = await websocket.recv()
print(response)
Related Topics
Angularjs "Controller As" Syntax - Clarification
Number Prime Test in JavaScript
Using Brackets with JavaScript Import Syntax
Please Explain the Use of JavaScript Closures in Loops
How to Get a Dom Element from a Jquery Selector
How to Destructure Onto an Existing Object? (JavaScript Es6)
Trying to Fire the Onload Event on Script Tag
Call a JavaScript Function at a Specific Time of Day
Addeventlistener in Internet Explorer
Dealing with Float Precision in JavaScript
Calling an Asynchronous Function Within a for Loop in JavaScript
Browser JavaScript Stack Size Limit
Are JavaScript Arrays Primitives? Strings? Objects
Why and When Do We Need to Bind Functions and Eventhandlers in React
How to Read the Client's MAChine/Computer Name from the Browser
How to Get Node Datum on Mouseover in D3 V6
Do Common JavaScript Implementations Use String Interning
Why Doesn't My Equality Comparison Using = (A Single Equals) Work Correctly