The client request

GET /chat HTTP/1.1
Host: example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Origin: https://example.com
Advertisement

The server response

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Advertisement

Computing Sec-WebSocket-Accept

Server takes client's Sec-WebSocket-Key, appends the magic GUID 258EAFA5-E914-47DA-95CA-C5AB0DC85B11, SHA-1 hashes, base64 encodes. Prevents accidental non-WebSocket clients from connecting.

Origin check

Browsers send Origin. Servers should validate against an allow-list to prevent CSRF-style attacks.

Subprotocol negotiation

Sec-WebSocket-Protocol negotiates. Client sends a list; server picks one or refuses.