WebSocket primitives
DaloyJS ships runtime-agnostic WebSocket primitives in src/websocket.ts (re-exported from @daloyjs/core/websocket) plus adapter wiring for @daloyjs/core/node and @daloyjs/core/bun. Both adapters accept the same handler shape: the Bun-style open / message / close / drain / error callbacks, so the same app.ws(path, handler) registration works on either runtime without changes.
On Node the adapter only installs an upgrade listener when at least one WS route is registered, so apps that don't use WebSockets pay zero overhead. On Bun the adapter forwards to Bun.serve's native websocket config.
Since 0.23.0, app.ws() also normalizes safe runtime defaults: closeOnBackpressureLimit: true, a 1 MiB backpressureLimit, perMessageDeflate: false, a non-zero idleTimeout, and a 1 MiB maxPayloadLength. Production apps running with secureDefaults refuse perMessageDeflate: true.
Production routes also require an Origin policy with allowedOrigins or an explicit acknowledgeCrossOriginUpgrade: true. This closes the Cross-Site WebSocket Hijacking pattern behind Storybook's CVE-2026-27148: browsers attach cookies to WS handshakes, even when another site opened the socket.
Quick start
Handler shape
Use defineWebSocket() for full type-inference on path params (ctx.params), query (ctx.query), and per-connection state (conn.data):
Connection API
The WebSocketConnection passed to your handlers mirrors the WHATWG WebSocket interface where it makes sense on the server side:
conn.readyState: one ofWS_READY_STATE.CONNECTING / OPEN / CLOSING / CLOSED.conn.send(data, options?): send a text frame forstring, or a binary frame forUint8Array/ArrayBuffer. Pass{ binary: true }to force binary framing of a string.conn.ping(data?)/conn.pong(data?): control frames; payload must be ≤ 125 bytes per RFC 6455.conn.close(code?, reason?): graceful close (sends a CLOSE frame, fires yourclosehandler, then closes the underlying socket).conn.terminate(): immediate transport-level close, no CLOSE frame.conn.bufferedAmount,conn.protocol,conn.extensions,conn.binaryType.conn.data: opaque per-connection slot for your app state.
Protocol negotiation & upgrade hook
Optional beforeUpgrade(req, ctx) runs after the path match and Origin policy, but before the 101 response. Return a Response to reject (handy for auth or rate-limiting), or return a string to pick a subprotocol from Sec-WebSocket-Protocol:
- 01requestClientDaloyJS adapterGET with Upgrade: websocketOrigin policy checked first, then beforeUpgrade
- 02responseDaloyJS adapterClient101 Switching Protocols (or a rejection Response)Sec-WebSocket-Accept, optional negotiated subprotocol
- 03asyncDaloyJS adapterYour handleropen(conn, ctx)set conn.data, send a welcome frame
- 04asyncClientYour handlermessage(conn, data, isBinary)text or binary frames, capped by maxPayloadLength
- 05noteClientYour handlerclose(conn, code, reason)CLOSE frame, then the socket is torn down
Origin policy and CSWSH
allowedOrigins is checked before beforeUpgrade in both Node and Bun. Use "same-origin" for browser clients served from the same scheme, host, and port as the WS endpoint, use an array for explicit cross-origin browser clients, or use a predicate when machine clients must also send an Origin header.
Missing Origin is allowed by the "same-origin"and array policies because browsers send Origin on WS handshakes; no Origin usually means a CLI or server-to-server client. Use the predicate form when your route should reject clients that omit the header.
Upgrade rate limiting
Use wsRateLimit() in beforeUpgrade when a WebSocket route belongs to the same login or session-establishment surface as HTTP endpoints. It spends from the same rateLimit({ groupId }) bucket and preserves rate-limit headers on rejection.
Payload and backpressure limits
Override safe defaults per route when a connection needs tighter bounds. idleTimeout, backpressureLimit, and maxPayloadLength must be positive integers. If your WebSocket handler declares a body schema with a maximum size, Daloy refuses a larger maxPayloadLength at registration time.
Graceful shutdown
The Node adapter tracks every upgraded socket. When close() is invoked (or the app receives SIGTERM / SIGINT with handleSignals: true), all active WebSocket sockets are destroyed before server.close() resolves so the process exits promptly even if clients linger.
Custom adapters
If you target a runtime other than Node or Bun, import the primitives directly from @daloyjs/core/websocket:
FrameSink is a streaming RFC 6455 parser: feed it bytes via sink.push(chunk) and it dispatches onMessage (with reassembled payload + isBinary flag), onPing, onPong, onClose, and onProtocolError. UTF-8 validation on text frames is handled for you.