The websocket support in it's current implementation is very easy to misuse.

The current implementation of this API creates websocket connections if user sends a request with header Upgrade set to websocket (case-insensitive) and if there is a handler. The handler is expected to write nothing to the socket. It should accept a QHttpServerResponder for that and not use any write methods there. This is non-obvious from API. Also, there is no way for the server to ensure that the handler is not writing anything to the stream. Websocket upgrade will be done on any route that has a handler. There is no way for a handler to stop a websocket upgrade, for example in case of authentication failure.

In my opinion, websocket handling code should be decoupled from routing code. Whatever handlers are used for websocket paths should be able to deny upgrades. Alternatively, websocket route handler may return some special type.