[tec27]

It's there to help guarantee that the server the browser is connecting to actually understands websockets and isn't being "tricked" into opening a connection through clever request formulation. With that guarantee in place, browsers can trust servers to properly check for and limit cross-domain requests and the like and not need to use something like CORS to negotiate that stuff.

[general_failure]

Why not skip all the hashing stuff? Why not just have Sec-Key: 'secret' and expect a reply with Sec-Accept: 'secret'. (where secret is hardcoded constant)