[matharmin]

With your own native client: Yes, you can send arbitrary headers in the Upgrade request.

In a browser however, you can't. It typically sets very little headers itself, and doesn't allow you to add custom headers.

[whilenot-dev]

The auth headers (Authorization, Cookie) are all passed along, and that's what I want to establish a secure connection from the browser.

For more customized wishes there's always this "ticket"-based flow[0][1] that shouldn't be hard to implement. I might be a bit naive, but what needed metadata and custom headers are we talking about?

[0]: https://devcenter.heroku.com/articles/websocket-security#aut...

[1]: https://lucumr.pocoo.org/2012/9/24/websockets-101/#authoriza...