fix: forward Hono response headers during WebSocket upgrade#346
Merged
yusukebe merged 1 commit intohonojs:mainfrom Apr 30, 2026
Merged
fix: forward Hono response headers during WebSocket upgrade#346yusukebe merged 1 commit intohonojs:mainfrom
yusukebe merged 1 commit intohonojs:mainfrom
Conversation
Headers attached to the Response returned by the Hono app
(e.g. `Set-Cookie`, custom auth headers, `WWW-Authenticate` on reject)
were dropped during the WebSocket handshake on both successful and
rejected upgrades.
- Successful upgrade: append response headers via `wss.on('headers', ...)`,
the official `ws` API for injecting handshake headers. The listener is
removed in `finally`; `headers` is emitted synchronously inside
`handleUpgrade`, so it cannot leak across concurrent upgrades on the
shared `wss`.
- Rejected upgrade: include response headers in the manual
`socket.end(...)` HTTP response written by `rejectUpgradeRequest`.
- Skip hop-by-hop headers per RFC 9110 Section 7.6.1, framing
(`content-length`), and WebSocket handshake headers managed by `ws`
(`sec-websocket-accept`, `sec-websocket-extensions`, `sec-websocket-protocol`)
to avoid corrupting the handshake.
Member
|
Thanks! Good PR. I'll merge and release a new version now. Regarding honojs/middleware#1873, I think we can close it as the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Forward headers attached to the
Responsereturned by the Hono app to the WebSocket upgrade response, so headers set by middleware (e.g.Set-Cookie, custom auth headers,WWW-Authenticateon reject) are no longer dropped during the handshake.Previously, in
src/websocket.tstheResponsereturned fromfetchCallback(...)was inspected only forstatus—response.headerswas discarded on both the successful and rejected paths.Changes
wss.on('headers', ...)(the officialwsAPI for injecting handshake headers). The listener is removed infinally;headersis emitted synchronously insidehandleUpgrade, so it cannot leak across concurrent upgrades on the sharedwss.socket.end(...)HTTP response produced byrejectUpgradeRequest.connection,keep-alive,proxy-authenticate,proxy-authorization,te,trailer,transfer-encoding,upgrade), framing (content-length), and WebSocket handshake headers managed byws(sec-websocket-accept,sec-websocket-extensions,sec-websocket-protocol) to avoid corrupting the handshake.Tests
Two new tests in
test/websocket.test.ts:Verification
bun run test --run test/websocket.test.ts(5/5 passing)bun run formatbun run lint(pre-existing warning inlistener.tsonly, unrelated to this change)bun run buildContext
A companion PR is open against
honojs/middlewarefor the same bug in@hono/node-ws: honojs/middleware#1873. Since@hono/node-wsis being deprecated in favor of@hono/node-server's built-inupgradeWebSocket(per honojs/middleware#1862), porting the fix here ensures the bug does not survive the migration.