In RFC 6455 che è la specifica del protocollo Websocket che dice:
It is similarly intended to fail to establish a connection when data from other protocols, especially HTTP, is sent to a WebSocket server, for example, as might happen if an HTML "form" were submitted to a WebSocket server. This is primarily achieved by requiring that the server prove that it read the handshake, which it can only do if the handshake contains the appropriate parts, which can only be sent by a WebSocket client. In particular, at the time of writing of this specification, fields starting with |Sec-| cannot be set by an attacker from a web browser using only HTML and JavaScript APIs such as XMLHttpRequest [XMLHttpRequest].
Conosco moduli HTML, ma perché server e client comunicano con moduli HTML? E quali sono | Sec- | campi? Non sono un professionista delle tecnologie web, ma so che i moduli HTML possono essere facilmente manipolati con le API HTML e Javascript.
Scusa se è troppo semplice da chiedere, dimmelo e andrò a leggere i tutorial pertinenti.