Websocket Connection Handsake Under The Hood

Image for post
Image for post
Photo by claudiasoraya on Unsplash

WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011, and the WebSocket API in Web IDL is being standardized by the W3C. WebSocket provides full-duplex communication. In plain words: There is a persistent connection between the client and the server and both parties can start sending data at any time.

I have been using WebSocket for 4 years. I know how HTTP works but not with WebSocket. So I decided to dig a little deeper. With this article, I will help you to understand how the persistent connection works in the WebSocket protocol. It was very simple and very easy to understand.


Websocket connection begins with an HTTP GET request from the client to the server. The request carries with a special header to tell the server that it wants to create a WebSocket connection. Here is the header specification:

Server response:

The client must send a Sec-WebSocket-Key header containing base64-encoded random bytes, and the server replies with a hash of the key in the Sec-WebSocket-Accept header. Are you feeling confused? Don’t worry, I will explain more in the implementation part.


It’s time to make our hands dirty! I will use golang as the programming language. So please make sure you already set up the golang environment in your workstation.

  • HTPP Server

I will use the net/HTTP library as the HTTP server library.

Upon initialization, a HttpServer object will be created with our host and port options.

  • Connection Upgrade

You’ll have to handle the handshaking process. After creating the initial HTTP/1.1 connection, you need to request the upgrade by adding to a standard request the Upgrade and Connection headers. When upgrading HTTP/1.1 session into WebSocket connection you need to generating Sec-WebSocket-Accept value in the HTTP/1.1 upgrade response.

It does so by taking the value of the Sec-WebSocket-Key and concatenating it with "258EAFA5-E914-47DA-95CA-C5AB0DC85B11", a ‘magic string’, defined in the protocol specification. It takes this concatenation, creates a SHA1 digest of it, then encodes this digest in Base64. We can do this using the built-in crypto/sha1 and encoding/base64 libraries.

Now we can take this key, and write our expected response to the socket. This response includes the status code "101 Switching Protocols", to indicate that the server and client will now be speaking via a WebSocket. This also includes the same Upgrade and Connection headers sent to us by the client, and also the appropriate Sec-WebSocket-Accept key and value. After the upgrade connection mechanism, we need to make sure the connection is not immediately closed. So we will create an event loop. All of the incoming messages/requests will be received in the event loop. But I will explain it in another article.

Alright! Let’s make a client test! First, you need to open your browser, then open the javascript console and try this code.

Open your network section in the browser and you will find out a new WebSocket connection.

Hooray it ends here 🤗

I hope you enjoyed it. Leave a comment down below. If you faced any issue, leave a comment, I’ll help 😉.


Easy read, easy understanding.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store