RFC 6455 mandates the client-to-server XOR masking you implement here specifically to prevent cache-poisoning attacks against misbehaving HTTP proxies that sat between browsers and origin servers during WebSocket's early rollout. nginx's proxy_pass websocket support and every browser's WebSocket API perform this same Sec-WebSocket-Accept SHA-1 handshake before switching protocols, which is what makes real-time apps like Slack and multiplayer games possible over a single TCP connection.