Questions about WebSocket connections within a self-hosted ServiceNow environment.<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Issue: Questions about WebSocket connections within Self-hosted environment. Release: NA What is WebSocket: WebSocket is a protocol that provides full-duplex communication channels over a single TCP connection. Unlike HTTP, which provides half-duplex communication, WebSocket supports bidirectional information exchange. This means a server can push information to a client, which standard HTTP does not support. Queries about WebSocket connections (Self-hosted) 1.Is the Origin header verified during the WebSocket handshake? Is Access-Control-Allow-Origin used as a server‑side response header in WebSocket handshakes?↪Yes. A WebSocket origin‑verification filter denies unauthorized origins with HTTP 403.No. WebSockets do not use CORS headers; origin control is handled by WebSocket‑specific verification, not Access-Control-Allow-Origin.2.The instance uses a token for communication; is it also possible to use Token authentication for WebSockets?↪The platform itself does not authenticate WebSockets using OAuth/JWT natively at the WebSocket handshake layer, but implementations around the platform absolutely do support passing and validating tokens before or during WebSocket setup.3.Is input validation of messages performed in both directions based on the data model?↪Based on all enterprise sources retrieved, there is no evidence that WebSocket message payloads are automatically validated in both directions against a predefined data model by the platform.4.Is output encoding of messages performed when they are embedded into the web application?↪Yes ,the platform does perform output encoding when user‑supplied data is rendered in the web application, as part of its built‑in XSS protection mechanisms.5. Is there reliable logging of WebSocket communication or can this be implemented / can logging for WebSockets be enabled?↪ Yes, logging for WebSocket activity does exist and can be enabled on both client and server sides. WebSocket/AMB troubleshooting uses standard platform logging plus browser‑side logging. Here's how we typically approach it: a.Client-side logging (official KB)Please capture a HAR + console log while reproducing the issue using this KB:KB1156577 – Capture web session traffic and console logs for troubleshooting: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1156577 This provides the browser‑side logs needed to analyze WebSocket behaviour. b.Server-side loggingWe temporarily increase log levels using System Logs → Loggers (sys_logger_configuration) for AMB/real‑time components so the platform writes more detailed node logs during the reproduction window. c.A/B diagnosis using WebSocket toggleFor transport‑level comparison, the platform provides the following diagnostic switch:glide.cometd.websocket.enabled For more information please refer to the below Knowledge article: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0829978