Product
HTTP Interceptor

A Power HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Client

A lightweight and secure API Client for faster API Development & Testing

API Mocking

Build frontend faster without waiting for backend.

Solutions
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Pricing
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme
🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Sec WebSocket Accept

HTTP Header

The HTTP Sec-WebSocket-Accept response header is used in the WebSocket opening handshake to indicate that the server is willing to upgrade to a WebSocket connection.

This header must appear no more than once in the response, and has a directive value that is calculated from the <code>Sec-WebSocket-Key</code> request header sent in the corresponding request.

 

This header is a response header that signifies the server’s acceptance of the WebSocket connection request. It is generated by combining the client’s Sec-WebSocket-Key with a fixed GUID, hashing the result, and then base64-encoding that hash. This process ensures the security and integrity of the WebSocket handshake.

<aside >

Note: The Sec-WebSocket-Accept header is set by the server to agree to upgrade the connection to WebSocket. It is derived exclusively from the client-sent Sec-WebSocket-Key header and is critical in confirming the handshake’s validity.

</aside>

Syntax

http
Sec-WebSocket-Accept: &lt;hashed key&gt;

Directives

Directives

<hashed key>

If a Sec-WebSocket-Key header was provided, the value of this header is computed by taking the value of the key, concatenating the string 258EAFA5-E914-47DA-95CA-C5AB0DC85B11, and taking the SHA-1 hash of that concatenated string — resulting in a 20-byte value.
That value is then base64 encoded to obtain the value of this property.

Example

The client initiates a WebSocket handshake using a request similar to the example below.
Note that this begins as an HTTP GET request (HTTP/1.1 or later) and includes the Upgrade header, indicating the desire to establish a WebSocket connection.
It also contains the Sec-WebSocket-Key, which is utilized in calculating the Sec-WebSocket-Accept to verify the upgrade request.

Example of a WebSocket opening handshake request:

GET /chat HTTP/1.1
Host: example.com:8000
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

The server responds with a header that confirms the upgrade, including a Sec-WebSocket-Accept value derived from the client’s key:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Sec-WebSocket-Accept header. This can be helpful for debugging WebSocket connections or simulating how your server handles different handshake responses. Steps to Modify the Sec-WebSocket-Accept Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Sec-WebSocket-Accept.
    • In the “Header Value” field, enter the desired accept key value (a base64-encoded SHA-1 hash usually).
  4. Set the URL condition: Specify the WebSocket URL or pattern where this header change should apply (e.g., wss://your-websocket-server.com/*).
  5. Save the rule.

Once set up, Requestly will inject your custom Sec-WebSocket-Accept header into all matching WebSocket handshake responses, which can help you test how clients behave with altered handshake validations.

Modifying the Sec-WebSocket-Accept header can help developers troubleshoot handshake failures or experiment with custom server responses. It’s useful when you want to simulate different WebSocket connection scenarios without changing the actual server.