Websocket
If you go through weboscket.org, you will see the essential events are onopen, onmessage, onerror, onclose. Naively I assumed that authentication should happen in onopen event. But this resulted in an unanticipated security breach. But first the normal web requests. In a normal requests, I can send custom headers like Authorization: Bearer token. This works, because the browser makes the preflight request, asking the server "I am about to make this request with this header and this method, do you allow it?". At this stage the server can reject this request, if either the method or the header doesn’t exist. ...