From ec09815ed527b8d744e49cdc9c475a20a2262f4f Mon Sep 17 00:00:00 2001
From: Richard Allen <richard@bryghtlabs.com>
Date: Thu, 26 Jun 2025 09:26:48 -0500
Subject: [PATCH] fix(transport_ws): Reject multiple Sec-WebSocket-Accept
 headers

Enforce RFC6455 requirement:
    The |Sec-WebSocket-Accept| header MUST NOT
    appear more than once in an HTTP response.
---
 components/tcp_transport/transport_ws.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/components/tcp_transport/transport_ws.c b/components/tcp_transport/transport_ws.c
index 22c618f1d7..35dfad98d7 100644
--- a/components/tcp_transport/transport_ws.c
+++ b/components/tcp_transport/transport_ws.c
@@ -324,6 +324,11 @@ static int ws_connect(esp_transport_handle_t t, const char *host, int port, int
         size_t header_sec_websocket_accept_len = strlen(header_sec_websocket_accept);
         if (line_len >= header_sec_websocket_accept_len && !strncasecmp(header_cursor, header_sec_websocket_accept, header_sec_websocket_accept_len)) {
             ESP_LOGD(TAG, "found server-key");
+            if(server_key || server_key_len){
+                // RFC6455: The |Sec-WebSocket-Accept| header MUST NOT appear more than once in an HTTP response.
+                ESP_LOGE(TAG, "Multiple Sec-WebSocket-Accept headers");
+                return -1;
+            }
             server_key = header_cursor + header_sec_websocket_accept_len;
             server_key_len = line_len - header_sec_websocket_accept_len;
         }