Validate the connection token cookie on WebSocket upgrade requests.
Non-browser callers that omit the Origin header (e.g. Node.js scripts)
cannot provide the SameSite=Strict cookie either, so they are rejected.
ProtectedexpressProtectedgetRegister the cookie middleware during initialize() via EarlyExpressMiddleware
so it runs before express.static() (which is registered later during configure()).
This ensures the browser receives the token cookie on the initial page load.
Protectedis
Validates WebSocket and HTTP requests using a cookie-based connection token.
In browser deployments, the server generates a random token at startup and sets it as a
SameSite=Strict; HttpOnlycookie on the first page load. Cross-origin pages cannot obtain or send this cookie, so their requests are rejected.This complements the origin validator: non-browser callers that omit the Origin header (e.g. Node.js scripts) still cannot reach the backend without the cookie.
Skipped in Electron deployments (which use their own
ElectronSecurityToken).